{"description": "Enterprise techniques used by Epic, ATT&CK software S0091 (v1.4)", "name": "Epic (S0091)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Epic](https://attack.mitre.org/software/S0091) gathers a list of all user accounts, privilege classes, and time of last logon.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses HTTP and HTTPS for C2 communications.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Epic](https://attack.mitre.org/software/S0091) encrypts collected data using a public key framework before sending it over the C2 channel.(Citation: Kaspersky Turla) Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[Epic](https://attack.mitre.org/software/S0091) compresses the collected data with bzip2 before sending it to the C2 server.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Epic](https://attack.mitre.org/software/S0091) encrypts commands from the C2 server using a hardcoded key.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Epic](https://attack.mitre.org/software/S0091) recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\\Temp directories.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Epic](https://attack.mitre.org/software/S0091) has a command to delete a file from the machine.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1680", "comment": "[Epic](https://attack.mitre.org/software/S0091) collects disk space information.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Epic](https://attack.mitre.org/software/S0091) heavily obfuscates its code to make analysis more difficult.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[Epic](https://attack.mitre.org/software/S0091) gathers information on local group names.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses the tasklist /v command to obtain a list of processes.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.011", "comment": "[Epic](https://attack.mitre.org/software/S0091) has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.(Citation: ESET Recon Snake Nest)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses the rem reg query command to obtain values from Registry keys.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses the net view command on the victim\u2019s machine.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Epic](https://attack.mitre.org/software/S0091) searches for anti-malware services running on the victim\u2019s machine and terminates itself if it finds them.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Turla](https://attack.mitre.org/groups/G0010) has used valid digital certificates from Sysprint AG to sign its [Epic](https://attack.mitre.org/software/S0091) dropper.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Epic](https://attack.mitre.org/software/S0091) collects the OS version, hardware information, computer name, available system memory status, and system and user language settings.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses the nbtstat -n and nbtstat -s commands on the victim\u2019s machine.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses the net use, net session, and netstat commands to gather information on network connections.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Epic](https://attack.mitre.org/software/S0091) collects the user name from the victim\u2019s machine.(Citation: Kaspersky Turla Aug 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses the tasklist /svc command to list the services on the system.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Epic](https://attack.mitre.org/software/S0091) uses the net time command  to get the system time from the machine and collect the current date and time zone information.(Citation: Kaspersky Turla)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Epic", "color": "#66b1ff"}]}