{"description": "Enterprise techniques used by Mosquito, ATT&CK software S0256 (v1.3)", "name": "Mosquito (S0256)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) establishes persistence under the Registry key HKCU\\Software\\Run auto_update.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) can launch PowerShell Scripts.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) uses COM hijacking as a method of persistence.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) deletes files using DeleteFileW API call.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) can upload and download files to the victim.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) can modify Registry keys under HKCU\\Software\\Microsoft\\[dllname] to store configuration values. [Mosquito](https://attack.mitre.org/software/S0256) also modifies Registry keys under HKCR\\CLSID\\...\\InprocServer32 with a path to the launcher.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) stores configuration values under the Registry key HKCU\\Software\\Microsoft\\[dllname].(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Mosquito](https://attack.mitre.org/software/S0256)\u2019s installer is obfuscated with a custom crypter to obfuscate the installer.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) runs tasklist to obtain running processes.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Mosquito](https://attack.mitre.org/software/S0256)'s installer searches the Registry and system to see if specific antivirus tools are installed on the system.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Mosquito](https://attack.mitre.org/software/S0256)'s launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) uses the ipconfig command.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Mosquito](https://attack.mitre.org/software/S0256) runs whoami on the victim\u2019s machine.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Mosquito](https://attack.mitre.org/software/S0256)'s installer uses WMI to search for antivirus display names.(Citation: ESET Turla Mosquito Jan 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Mosquito", "color": "#66b1ff"}]}