/
Tropic Trooper_G0081.json
1 lines (1 loc) · 4.6 KB
/
Tropic Trooper_G0081.json
1
{"description": "Enterprise techniques used by Tropic Trooper, ATT&CK group G0081 v1.0", "name": "Tropic Trooper (G0081)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1050", "techniqueName": "New Service", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) installs a service pointing to a malicious DLL dropped to disk."}, {"score": 1, "techniqueID": "T1033", "techniqueName": "System Owner/User Discovery", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>letmein</code> to scan for saved usernames on the target system."}, {"score": 1, "techniqueID": "T1082", "techniqueName": "System Information Discovery", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has detected a target system\u2019s OS version."}, {"score": 1, "techniqueID": "T1135", "techniqueName": "Network Share Discovery", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>netview</code> to scan target systems for shared resources."}, {"score": 1, "techniqueID": "T1046", "techniqueName": "Network Service Scanning", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>pr</code> to scan for open ports on target systems."}, {"score": 1, "techniqueID": "T1073", "techniqueName": "DLL Side-Loading", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has been known to side-load DLLs using a valid version of Windows Address Book executable with one of their tools."}, {"score": 1, "techniqueID": "T1203", "techniqueName": "Exploitation for Client Execution", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158."}, {"score": 1, "techniqueID": "T1055", "techniqueName": "Process Injection", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has injected a DLL backdoor into a file dllhost.exe."}, {"score": 1, "techniqueID": "T1197", "techniqueName": "BITS Jobs", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has leveraged the BITSadmin command-line tool to create a job and launch a malicious process."}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has encrypted configuration files."}, {"score": 1, "techniqueID": "T1032", "techniqueName": "Standard Cryptographic Protocol", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) uses SSL to connect to C2 servers."}, {"score": 1, "techniqueID": "T1193", "techniqueName": "Spearphishing Attachment", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) sent spearphishing emails that contained malicious Microsoft Office attachments."}, {"score": 1, "techniqueID": "T1158", "techniqueName": "Hidden Files and Directories", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) has created a hidden directory under <code>C:\\ProgramData\\Apple\\Updates\\</code>."}, {"score": 1, "techniqueID": "T1221", "techniqueName": "Template Injection", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document."}, {"score": 1, "techniqueID": "T1140", "techniqueName": "Deobfuscate/Decode Files or Information", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) used shellcode with an XOR algorithm to decrypt a payload."}, {"score": 1, "techniqueID": "T1004", "techniqueName": "Winlogon Helper DLL", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) creates the Registry key <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell</code> and sets the value to establish persistence."}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) can use ports 443 and 53 for C2 communications via malware called TClient."}, {"score": 1, "techniqueID": "T1057", "techniqueName": "Process Discovery", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) enumerates the running processes on the system."}, {"score": 1, "techniqueID": "T1063", "techniqueName": "Security Software Discovery", "comment": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) searches for anti-virus software running on the system."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Tropic Trooper", "color": "#ff6666"}]}