{"description": "Enterprise techniques used by Taidoor, ATT&CK software S0011 (v2.1)", "name": "Taidoor (S0011)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has used HTTP GET and POST requests for C2.(Citation: TrendMicro Taidoor)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has modified the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run key for persistence.(Citation: TrendMicro Taidoor)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can copy cmd.exe into the system temp folder.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can upload data and files from a victim's machine.(Citation: TrendMicro Taidoor)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can use a stream cipher to decrypt stings used by the malware.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) uses RC4 to encrypt the message body of HTTP content.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can search for specific files.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can use DeleteFileA to remove files from infected hosts.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has downloaded additional files onto a compromised host.(Citation: TrendMicro Taidoor)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has the ability to modify the Registry on compromised hosts using RegDeleteValueA and RegCreateKeyExA.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can use TCP for C2 communications.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can use encrypted string blocks for obfuscation.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has been delivered through spearphishing emails.(Citation: TrendMicro Taidoor)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can use GetCurrentProcessId for process discovery.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can perform DLL loading.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can query the Registry on compromised hosts using RegQueryValueExA.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has collected the MAC address of a compromised host; it can also use GetAdaptersInfo to identify network adapters.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) can use GetLocalTime and GetSystemTime to collect system time.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Taidoor](https://attack.mitre.org/software/S0011) has relied upon a victim to click on a malicious email attachment.(Citation: TrendMicro Taidoor)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Taidoor", "color": "#66b1ff"}]}