{"description": "Enterprise techniques used by Orz, ATT&CK software S0229 (v2.2)", "name": "Orz (S0229)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Orz](https://attack.mitre.org/software/S0229) can execute shell commands.(Citation: Proofpoint Leviathan Oct 2017) [Orz](https://attack.mitre.org/software/S0229) can execute commands with JavaScript.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Orz](https://attack.mitre.org/software/S0229) can gather victim drive information.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[Orz](https://attack.mitre.org/software/S0229) can overwrite Registry settings to reduce its visibility on the victim.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Orz](https://attack.mitre.org/software/S0229) can download files onto the victim.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Orz](https://attack.mitre.org/software/S0229) can perform Registry operations.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "Some [Orz](https://attack.mitre.org/software/S0229) strings are base64 encoded, such as the embedded DLL known as MockDll.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Orz](https://attack.mitre.org/software/S0229) can gather a process list from the victim.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "Some [Orz](https://attack.mitre.org/software/S0229) versions have an embedded DLL known as MockDll that uses process hollowing and [Regsvr32](https://attack.mitre.org/techniques/T1218/010) to execute another payload.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[Orz](https://attack.mitre.org/software/S0229) can gather the victim's Internet Explorer version.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "Some [Orz](https://attack.mitre.org/software/S0229) versions have an embedded DLL known as MockDll that uses [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) and regsvr32 to execute another payload.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Orz](https://attack.mitre.org/software/S0229) can gather the victim OS version and whether it is 64 or 32 bit.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Orz](https://attack.mitre.org/software/S0229) can gather victim proxy information.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Orz](https://attack.mitre.org/software/S0229) has used Technet and Pastebin web pages for command and control.(Citation: Proofpoint Leviathan Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Orz", "color": "#66b1ff"}]}