Remote Commands

January 2, 2024 ยท View on GitHub

ID B0011
Objective(s) Execution
Related ATT&CK Techniques None
Version 2.0
Created 1 August 2019
Last Modified 5 December 2023

Remote Commands

Malware may provide an attacker with explicit commands. This behavior differs from the Remote Access (B0022) behavior under the Impact objective in that Impact: Remote Access is potentially much broader and may include full remote access.

Given an "execute" command, the attacker may choose to delete files or corrupt data, power-off the machine, or upload and execute other applications. The malware may also provide specific commands to the attacker (e.g., "delete file").

Commands provided by the malware can be captured with the methods defined below. For example, malware that enables an attacker to delete a file could be tagged with Execution:Remote Commands:Delete File.

It may be useful to capture remote commands along with related behaviors because the associated descriptions could provide details of how the malware implements the command. For example, Defense Evasion:File Deletion could be used to provide details and context to Execution:Remote Commands:Delete File.

Autonomous behaviors - those done by the malware without an active attacker - should not be captured with Execution:Remote Commands. For example, malware that automatically destroys data would be tagged with the Impact: Data Destruction (E1485) behavior.

Methods

NameIDDescription
Delete FileB0011.001--
Download FileB0011.002--
ExecuteB0011.003--
ShutdownB0011.004--
SleepB0011.005--
UninstallB0011.006--
Upload FileB0011.007--

Use in Malware

NameDateMethodDescription
Ursnif2016--The malware commands sent by a remote user can archive/upload files, capture screenshots, clear cookies, download/execute other files, list running processes, reboot the affected system, steal certificates and cookies, update/download a configuration file, and upload a log file which contains stolen information. [1]
BlackEnergy2007--Infected bots receive commands from the botmaster to load plugins associated with botmaster's goals. [2]
TrickBot2016--The malware receives various commands from the C2 server. [3]
Matanbuchus2021B0011.005The malware sleeps if it fails to send collected data or execute its commands. [4] [5]
Matanbuchus2021B0011.006The malware loader can uninstall itself from the victim computer. [4] [5]

References

[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279

[2] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf

[3] https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware

[4] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/

[5] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader