/
TA505_G0092.json
1 lines (1 loc) · 3.5 KB
/
TA505_G0092.json
1
{"description": "Enterprise techniques used by TA505, ATT&CK group G0092 v1.0", "name": "TA505 (G0092)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1503", "techniqueName": "Credentials from Web Browsers", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used malware to gather credentials from Internet Explorer."}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Remote File Copy", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has downloaded additional malware to execute on victim systems."}, {"score": 1, "techniqueID": "T1116", "techniqueName": "Code Signing", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has signed payloads with code signing certificates from Thawte and Sectigo."}, {"score": 1, "techniqueID": "T1085", "techniqueName": "Rundll32", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has leveraged <code>rundll32.exe</code> to execute malicious DLLs."}, {"score": 1, "techniqueID": "T1218", "techniqueName": "Signed Binary Proxy Execution", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used <code>msiexec</code> to download and execute malicious Windows Installer files."}, {"score": 1, "techniqueID": "T1204", "techniqueName": "User Execution", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used lures to get users to click links in emails and attachments, enable content in malicious attachments, and execute malicious files contained in archives. For example, [TA505](https://attack.mitre.org/groups/G0092) makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. "}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has password-protected malicious Word documents and used base64 encoded PowerShell commands."}, {"score": 1, "techniqueID": "T1081", "techniqueName": "Credentials in Files", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used malware to gather credentials from FTP clients and Outlook."}, {"score": 1, "techniqueID": "T1486", "techniqueName": "Data Encrypted for Impact", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used a wide variety of ransomware, such as Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment."}, {"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used PowerShell, VBS, and JavaScript for code execution."}, {"score": 1, "techniqueID": "T1086", "techniqueName": "PowerShell", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used PowerShell to download and execute malware and reconnaissance scripts."}, {"score": 1, "techniqueID": "T1192", "techniqueName": "Spearphishing Link", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has sent spearphishing emails containing malicious links."}, {"score": 1, "techniqueID": "T1173", "techniqueName": "Dynamic Data Exchange", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has leveraged malicious Word documents that abused DDE."}, {"score": 1, "techniqueID": "T1193", "techniqueName": "Spearphishing Attachment", "comment": "[TA505](https://attack.mitre.org/groups/G0092) has used spearphishing emails with malicious attachments to initially compromise victims."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TA505", "color": "#ff6666"}]}