AppleSeed
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | Access Token Manipulation |
AppleSeed can gain system level privilege by passing |
|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
AppleSeed has the ability to communicate with C2 over HTTP.[1][2] |
| Enterprise | T1560 | Archive Collected Data |
AppleSeed has compressed collected data before exfiltration.[2] |
|
| .001 | Archive via Utility |
AppleSeed can zip and encrypt data collected on a target system.[1] |
||
| Enterprise | T1119 | Automated Collection |
AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.[2] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
AppleSeed has the ability to create the Registry key name |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
AppleSeed has the ability to execute its payload via PowerShell.[1] |
| .007 | Command and Scripting Interpreter: JavaScript |
AppleSeed has the ability to use JavaScript to execute PowerShell.[1] |
||
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1025 | Data from Removable Media |
AppleSeed can find and collect data from removable media devices.[1][2] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
AppleSeed can stage files in a central location prior to exfiltration.[1] |
| Enterprise | T1030 | Data Transfer Size Limits |
AppleSeed has divided files if the size is 0x1000000 bytes or more.[2] |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ||
| Enterprise | T1041 | Exfiltration Over C2 Channel | ||
| Enterprise | T1567 | Exfiltration Over Web Service | ||
| Enterprise | T1008 | Fallback Channels |
AppleSeed can use a second channel for C2 when the primary channel is in upload mode.[1] |
|
| Enterprise | T1083 | File and Directory Discovery |
AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
AppleSeed can delete files from a compromised host after they are exfiltrated.[1] |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
AppleSeed can use |
| Enterprise | T1036 | Masquerading | ||
| .005 | Match Legitimate Name or Location |
AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.[1] |
||
| Enterprise | T1106 | Native API |
AppleSeed has the ability to use multiple dynamically resolved API calls.[1] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.[1] |
|
| .002 | Software Packing | |||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
AppleSeed has been distributed to victims through malicious e-mail attachments.[1] |
| Enterprise | T1057 | Process Discovery |
AppleSeed can enumerate the current process on a compromised host.[1] |
|
| Enterprise | T1113 | Screen Capture |
AppleSeed can take screenshots on a compromised host by calling a series of APIs.[1][2] |
|
| Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 | |
| Enterprise | T1082 | System Information Discovery |
AppleSeed can identify the OS version of a targeted system.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1124 | System Time Discovery |
AppleSeed can pull a timestamp from the victim's machine.[1] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
AppleSeed can achieve execution through users running malicious file attachments distributed via email.[1] |