S0461: SDBbot
Analyst context for executives and security teams
SDBbot is a Windows backdoor with installer and loader components, reported by ATT&CK as used by TA505 since at least 2019. Its ATT&CK relationships make it operationally important because it is not just a single executable problem: the mapped behaviors cover persistence, discovery, command execution, tool transfer, proxy/C2 activity, data collection, exfiltration over C2, and evidence removal. For leaders, this is a useful test case for whether endpoint, network, identity, and incident response controls can reconstruct a Windows intrusion after the adversary has tried to blend in and clean up.
Executive priority
Prioritize SDBbot-relevant coverage where Windows systems support critical operations or sensitive data access. The mapped behaviors raise business questions about resilience and evidence quality: can the organization detect persistence through Run keys, shims, IFEO, rundll32, and DLL injection; can it see RDP-based lateral movement using valid accounts; and can it identify data staging or exfiltration over an existing C2 channel? This object is also useful for audit and readiness discussions because ATT&CK provides no official detection guidance, so local evidence of telemetry, control validation, and response playbooks becomes the main proof of preparedness.
Technical view
SOC and IR teams should validate coverage around the Windows behaviors linked to SDBbot: command execution via Windows Command Shell, rundll32 proxy execution, DLL injection, persistence through Registry Run Keys/Startup Folder, Application Shimming, and IFEO debugger configuration. Discovery coverage should include process, user, system, network configuration, location, and file/directory enumeration. Network monitoring should account for proxy use, non-application-layer protocol C2, ingress tool transfer, and exfiltration over the C2 channel. Because related behaviors include obfuscation, packing, deobfuscation, and file deletion, response procedures should assume that simple file-hash matching and post-incident artifact review may be incomplete.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows registry modification telemetry, especially Run keys, IFEO debugger keys, and application compatibility/shim-related changes
- Module load, DLL injection, and suspicious cross-process activity telemetry where available
- rundll32.exe execution context, parent/child process relationships, and loaded DLL details
- RDP logon/session telemetry and account usage records
Detection direction
- Do not rely on a single malware signature; ATT&CK maps SDBbot to obfuscation, software packing, and deobfuscation behaviors that can reduce static-detection reliability.
- Tune detections for suspicious combinations: Windows command shell plus discovery commands, rundll32 with unusual DLL paths or arguments, persistence registry changes followed by outbound network activity, and RDP logons followed by tool transfer or discovery.
- Validate that endpoint telemetry captures both execution and persistence artifacts before cleanup occurs, since File Deletion and Indicator Removal are mapped behaviors.
- Review false positives carefully for administrative tools and legitimate RDP, rundll32, registry, and discovery activity; focus on abnormal parent processes, unusual users, unusual hosts, and sequences of behavior.
- Correlate host and network telemetry for exfiltration over C2 and proxy behavior, since either side alone may appear benign or incomplete.
Mitigation priorities
- Harden Windows persistence surfaces by monitoring and controlling Run keys, Startup folders, IFEO debugger configuration, and application shims.
- Limit and monitor RDP access, especially use of valid accounts across systems, with strong identity controls and reviewable session evidence.
- Ensure endpoint protection and logging cover command shell execution, rundll32 usage, DLL/module activity, and file deletion events on critical Windows assets.
- Restrict unnecessary outbound network paths and inspect or alert on unusual C2-like protocols, proxy behavior, and tool transfer patterns where feasible.
- Prepare IR playbooks that preserve volatile and endpoint evidence quickly, because mapped behaviors include stealth, obfuscation, and artifact removal.
Analyst notes and limits
The most decision-relevant context is the combination of SDBbot’s Windows platform, backdoor/installer/loader description, reported TA505 use since at least 2019, and the broad set of ATT&CK technique relationships. These relationships point defenders toward behavior-based validation rather than only malware-family identification. The supplied object has no official ATT&CK detection text, so detection content here is derived from the mapped techniques and should be validated against local logging, asset criticality, and normal administrative behavior.
This take uses only the supplied ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, infrastructure, payload details, or guaranteed detection. Several related technique descriptions list broad or non-Windows platforms, but the SDBbot software object itself is supplied as Windows, so platform conclusions should remain Windows-focused unless local intelligence supports more.
SDBbot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | SDBbot has the ability to get directory listings or drive information on a compromised host.CitationProofpoint TA505 October 2019 |
| Enterprise | T1070 | Indicator Removal | SDBbot has the ability to clean up and remove data structures from a compromised host.CitationProofpoint TA505 October 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SDBbot has the ability to decrypt and decompress its payload to enable code execution.CitationProofpoint TA505 October 2019CitationIBM TA505 April 2020 |
| Enterprise | T1090 | Proxy | SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.CitationProofpoint TA505 October 2019 |
| Enterprise | T1546.011 | Application Shimming Sub-technique | SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.CitationProofpoint TA505 October 2019 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.CitationProofpoint TA505 October 2019 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | SDBbot has used rundll32.exe to execute DLLs.CitationKorean FSI TA505 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | SDBbot has used a packed installer file.CitationIBM TA505 April 2020 |
| Enterprise | T1614 | System Location Discovery | SDBbot can collected the country code of a compromised machine.CitationKorean FSI TA505 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. CitationProofpoint TA505 October 2019CitationIBM TA505 April 2020 |
| Enterprise | T1005 | Data from Local System | SDBbot has the ability to access the file system on a compromised host.CitationProofpoint TA505 October 2019 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | SDBbot has the ability to use RDP to connect to victim's machines.CitationProofpoint TA505 October 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | SDBbot has the ability to download a DLL from C2 to a compromised host.CitationProofpoint TA505 October 2019 |
| Enterprise | T1082 | System Information Discovery | SDBbot has the ability to identify the OS version, OS bit information and computer name.CitationProofpoint TA505 October 2019CitationKorean FSI TA505 2020 |
| Enterprise | T1125 | Video Capture | SDBbot has the ability to record video on a compromised host.CitationProofpoint TA505 October 2019CitationIBM TA505 April 2020 |
| Enterprise | T1546.012 | Image File Execution Options Injection Sub-technique | SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.CitationProofpoint TA505 October 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.CitationProofpoint TA505 October 2019 |
| Enterprise | T1033 | System Owner/User Discovery | SDBbot has the ability to identify the user on a compromised host.CitationProofpoint TA505 October 2019 |
| Enterprise | T1095 | Non-Application Layer Protocol | SDBbot has the ability to communicate with C2 with TCP over port 443.CitationProofpoint TA505 October 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SDBbot has sent collected data from a compromised host to its C2 servers.CitationKorean FSI TA505 2020 |
| Enterprise | T1057 | Process Discovery | SDBbot can enumerate a list of running processes on a compromised machine.CitationKorean FSI TA505 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SDBbot has the ability to use the command shell to execute commands on a compromised host.CitationProofpoint TA505 October 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.CitationProofpoint TA505 October 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | SDBbot has the ability to delete files from a compromised host.CitationProofpoint TA505 October 2019 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 6be836644f70… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint TA505 October 2019
Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
Open source URL -
[2]
IBM TA505 April 2020
Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
Open source URL -
[3]
mitre-attack S0461Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.