| ID | B0011 |
| Objective(s) | Execution |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 5 December 2023 |
Malware may provide an attacker with explicit commands. This behavior differs from the Remote Access (B0022) behavior under the Impact objective in that Impact: Remote Access is potentially much broader and may include full remote access.
Given an "execute" command, the attacker may choose to delete files or corrupt data, power-off the machine, or upload and execute other applications. The malware may also provide specific commands to the attacker (e.g., "delete file").
Commands provided by the malware can be captured with the methods defined below. For example, malware that enables an attacker to delete a file could be tagged with Execution:Remote Commands:Delete File.
It may be useful to capture remote commands along with related behaviors because the associated descriptions could provide details of how the malware implements the command. For example, Defense Evasion:File Deletion could be used to provide details and context to Execution:Remote Commands:Delete File.
Autonomous behaviors - those done by the malware without an active attacker - should not be captured with Execution:Remote Commands. For example, malware that automatically destroys data would be tagged with the Impact: Data Destruction (E1485) behavior.
| Name | ID | Description |
|---|---|---|
| Delete File | B0011.001 | -- |
| Download File | B0011.002 | -- |
| Execute | B0011.003 | -- |
| Shutdown | B0011.004 | -- |
| Sleep | B0011.005 | -- |
| Uninstall | B0011.006 | -- |
| Upload File | B0011.007 | -- |
| Name | Date | Method | Description |
|---|---|---|---|
| Ursnif | 2016 | -- | The malware commands sent by a remote user can archive/upload files, capture screenshots, clear cookies, download/execute other files, list running processes, reboot the affected system, steal certificates and cookies, update/download a configuration file, and upload a log file which contains stolen information. [1] |
| BlackEnergy | 2007 | -- | Infected bots receive commands from the botmaster to load plugins associated with botmaster's goals. [2] |
| TrickBot | 2016 | -- | The malware receives various commands from the C2 server. [3] |
| Matanbuchus | 2021 | B0011.005 | The malware sleeps if it fails to send collected data or execute its commands. [4] [5] |
| Matanbuchus | 2021 | B0011.006 | The malware loader can uninstall itself from the victim computer. [4] [5] |
[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279
[2] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[3] https://www.cybereason.com/blog/research/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
[4] https://www.0ffset.net/reverse-engineering/matanbuchus-loader-analysis/
[5] https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader