{"description": "Enterprise techniques used by Comnie, ATT&CK software S0244 (v1.1)", "name": "Comnie (S0244)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Comnie](https://attack.mitre.org/software/S0244) uses the net user command.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Comnie](https://attack.mitre.org/software/S0244) uses HTTP for C2 communication.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Comnie](https://attack.mitre.org/software/S0244) executes a batch script to store discovery information in %TEMP%\\info.dat and then uploads the temporarily file to the remote C2 server.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Comnie](https://attack.mitre.org/software/S0244) achieves persistence by adding a shortcut of itself to the startup path in the Registry.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Comnie](https://attack.mitre.org/software/S0244) establishes persistence via a .lnk file in the victim\u2019s startup path.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Comnie](https://attack.mitre.org/software/S0244) executes BAT scripts.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Comnie](https://attack.mitre.org/software/S0244) executes VBS scripts.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Comnie](https://attack.mitre.org/software/S0244) encrypts command and control communications with RC4.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Comnie](https://attack.mitre.org/software/S0244) uses RC4 and Base64 to obfuscate strings.(Citation: Palo Alto Comnie)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[Comnie](https://attack.mitre.org/software/S0244) appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Comnie](https://attack.mitre.org/software/S0244) uses the tasklist to view running processes on the victim\u2019s machine.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[Comnie](https://attack.mitre.org/software/S0244) runs the net view command", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Comnie](https://attack.mitre.org/software/S0244) attempts to detect several anti-virus products.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Comnie](https://attack.mitre.org/software/S0244) uses Rundll32 to load a malicious DLL.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Comnie](https://attack.mitre.org/software/S0244) collects the hostname of the victim machine.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Comnie](https://attack.mitre.org/software/S0244) uses ipconfig /all and route PRINT to identify network adapter and interface information.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Comnie](https://attack.mitre.org/software/S0244) executes the netstat -ano command.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Comnie](https://attack.mitre.org/software/S0244) runs the command: net start >> %TEMP%\\info.dat on a victim.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Comnie](https://attack.mitre.org/software/S0244) uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.(Citation: Palo Alto Comnie)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Comnie", "color": "#66b1ff"}]}