/
WIRTE_G0090.json
1 lines (1 loc) · 1.47 KB
/
WIRTE_G0090.json
1
{"description": "Enterprise techniques used by WIRTE, ATT&CK group G0090 v1.0", "name": "WIRTE (G0090)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1140", "techniqueName": "Deobfuscate/Decode Files or Information", "comment": "[WIRTE](https://attack.mitre.org/groups/G0090) has decoded a base64 encoded document which was embedded in a VBS script."}, {"score": 1, "techniqueID": "T1117", "techniqueName": "Regsvr32", "comment": "[WIRTE](https://attack.mitre.org/groups/G0090) has used Regsvr32.exe to trigger the execution of a malicious script."}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Remote File Copy", "comment": "[WIRTE](https://attack.mitre.org/groups/G0090) has downloaded PowerShell code from the C2 server to be executed."}, {"score": 1, "techniqueID": "T1086", "techniqueName": "PowerShell", "comment": "[WIRTE](https://attack.mitre.org/groups/G0090) has used PowerShell for script execution."}, {"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[WIRTE](https://attack.mitre.org/groups/G0090) has used VBS and PowerShell scripts throughout its operation.\t"}, {"score": 1, "techniqueID": "T1071", "techniqueName": "Standard Application Layer Protocol", "comment": "[WIRTE](https://attack.mitre.org/groups/G0090) has used HTTP for network communication.\t"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by WIRTE", "color": "#ff6666"}]}