Classe: Trojan
Un programme malveillant conçu pour espionner électroniquement les activités de l'utilisateur (intercepter la saisie au clavier, prendre des captures d'écran, capturer une liste d'applications actives, etc.). Les informations collectées sont envoyées au cybercriminel par divers moyens, y compris par courrier électronique, FTP et HTTP (en envoyant des données dans une requête).Plus d'informations
Plateforme: Win32
Win32 est une API sur les systèmes d'exploitation Windows NT (Windows XP, Windows 7, etc.) qui prend en charge l'exécution des applications 32 bits. L'une des plateformes de programmation les plus répandues au monde.Famille: Trojan.Win32.Refroso
No family descriptionExamples
E07526CB10DA782402D7ECD39278218599B9360952AB4A33326E56B770587CFE
7B50333A79F2D73A7908D1FAFBDCE21B
281A3CB964C09596625BD17814B42DE2
1047305C56FE36FC40FFC2FC5C2B23D5
Tactics and Techniques: Mitre*
TA0007
Discovery
The adversary is trying to figure out your environment.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1518.001
Software Discovery: Security Software Discovery
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Example commands that can be used to obtain security software information are netsh,
Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the
Example commands that can be used to obtain security software information are netsh,
reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS) For example, the permitted IP ranges, ports or user accounts for the inbound/outbound rules of security groups, virtual firewalls established within AWS for EC2 and/or VPC instances, can be revealed by the
DescribeSecurityGroups action with various request parameters. (Citation: DescribeSecurityGroups - Amazon Elastic Compute Cloud) * © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.