bluelocker

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Achieves persistence through Registry Run Keys, ensuring execution after system reboot.

T1543Create or Modify System Process

Modifies system services for persistence and privilege escalation.

T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control

Bypasses UAC via registry manipulation, elevating privileges without user consent.

T1070.006Indicator Removal: Timestomp

Timestomping technique is used to alter file timestamps, making it difficult to detect during forensic analysis.

T1140Deobfuscate/Decode Files or Information

Implements obfuscation and deobfuscation to evade detection by security tools and analysts.

T1562.001Impair Defenses: Disable or Modify Tools

Disables UAC to avoid detection and remain persistent without being interrupted by security controls.

T1012Query Registry

Performs registry queries to gather system configuration and installed software information.

T1057Process Discovery

Enumerates running processes to identify which processes to target for exploitation or injection.

T1083File and Directory Discovery

Explores file and directory structures to find valuable files for encryption or exfiltration.

T1087Account Discovery

Discovers user accounts for credential harvesting or lateral movement across systems.

T1497Virtualization/Sandbox Evasion

Detects virtualized or sandboxed environments to avoid detection during dynamic analysis.

T1056Input Capture

Uses raw input capture to steal user credentials or session data during active sessions.

T1074Data Staged

Prepares collected data in temporary or known directories before exfiltration or further exploitation.

T1489Service Stop

Stops system services to ensure the encryption process is not interrupted and maximizes the damage.

T1490Inhibit System Recovery

Inhibits system recovery by disabling or deleting backup systems, ensuring that victims cannot restore their encrypted files.