{"description": "Enterprise techniques used by Frankenstein, ATT&CK campaign C0001 (v1.1)", "name": "Frankenstein (C0001)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used HTTP GET requests for C2.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to automatically gather the username, domain name, machine name, and other system information.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors collected information via [Empire](https://attack.mitre.org/software/S0363), which was automatically sent back to the adversary's C2.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors ran a command script to set up persistence as a scheduled task named \"WinUpdate\", as well as other encoded commands from the command-line (Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to gather various local system information.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors collected information via [Empire](https://attack.mitre.org/software/S0363), which sent the data back to the adversary's C2.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors exploited CVE-2017-11882 to execute code on the victim's machine.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors downloaded files and tools onto a victim machine.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors named a malicious scheduled task \"WinUpdate\" for persistence.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors ran encoded commands from the command line.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors obtained and used [Empire](https://attack.mitre.org/software/S0363).(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors likely used spearphishing emails to send malicious Microsoft Word documents.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to obtain a list of all running processes.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors established persistence through a scheduled task using the command: `/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR`, named \"WinUpdate\" (Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used WMI queries to determine if analysis tools were running on a compromised system.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to obtain the compromised machine's name.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to find the public IP address of a compromised system.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used [Empire](https://attack.mitre.org/software/S0363) to enumerate hosts and gather username, machine name, and administrative permissions information.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1127", "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used MSbuild to execute an actor-created file.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors relied on a victim to enable macros within a malicious Microsoft Word document likely sent via email.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "During [Frankenstein](https://attack.mitre.org/campaigns/C0001), the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.(Citation: Talos Frankenstein June 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Frankenstein", "color": "#66b1ff"}]}