{"description": "Enterprise techniques used by Mis-Type, ATT&CK software S0084 (v1.2)", "name": "Mis-Type (S0084)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) may create a file containing the results of the command cmd.exe /c net user {Username}.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) network traffic can communicate over HTTP.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has created registry keys for persistence, including `HKCU\\Software\\bkfouerioyou`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has used `cmd.exe` to run commands on a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) may create a temporary user on the system named `Lost_{Unique Identifier}`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) uses Base64 encoding for C2 traffic.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has collected files and data from a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has temporarily stored collected information to the files `\u201c%AppData%\\{Unique Identifier}\\HOSTRURKLSR\u201d` and `\u201c%AppData%\\{Unique Identifier}\\NEWERSSEMP\u201d`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has transmitted collected files and data to its C2 server.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has downloaded additional malware and files onto a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has used Windows API calls, including `NetUserAdd` and `NetUserDel`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) network traffic can communicate over a raw socket.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) has been injected directly into a running process, including `explorer.exe`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "The initial beacon packet for [Mis-Type](https://attack.mitre.org/software/S0084) contains the operating system version and file system of the victim.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) may create a file containing the results of the command cmd.exe /c ipconfig /all.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Mis-Type](https://attack.mitre.org/software/S0084) runs tests to determine the privilege level of the compromised user.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Mis-Type", "color": "#66b1ff"}]}