{"description": "Enterprise techniques used by C0021, ATT&CK campaign C0021 (v1.0)", "name": "C0021 (C0021)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "For [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors registered domains for use in C2.(Citation: FireEye APT29 Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used HTTP for some of their C2 communications.(Citation: FireEye APT29 Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.001", "comment": "For [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used legitimate but compromised domains to host malicious payloads.(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors deobfuscated encoded PowerShell commands including use of the specific string `'FromBase'+0x40+'String'`, in place of `FromBase64String` which is normally used to decode base64.(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used SSL via TCP port 443 for C2 communications.(Citation: FireEye APT29 Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors downloaded additional tools and files onto victim machines.(Citation: Microsoft Unidentified Dec 2018)(Citation: FireEye APT29 Nov 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used TCP for some C2 communications.(Citation: FireEye APT29 Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "For [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors embedded a base64-encoded payload within a LNK file.(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used encoded PowerShell commands.(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used [Cobalt Strike](https://attack.mitre.org/software/S0154) configured with a modified variation of the publicly available Pandora Malleable C2 Profile.(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "For [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors uploaded malware to websites under their control.(Citation: FireEye APT29 Nov 2018)(Citation: Microsoft Unidentified Dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors used `rundll32.exe` to execute the [Cobalt Strike](https://attack.mitre.org/software/S0154) Beacon loader DLL.(Citation: FireEye APT29 Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "During [C0021](https://attack.mitre.org/campaigns/C0021), the threat actors lured users into clicking a malicious link which led to the download of a  ZIP archive containing a malicious .LNK file.(Citation: FireEye APT29 Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by C0021", "color": "#66b1ff"}]}