{"description": "Enterprise techniques used by Kazuar, ATT&CK software S0265 (v1.4)", "name": "Kazuar (S0265)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) gathers information on local groups and members on the victim\u2019s machine.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) uses HTTP and HTTPS to communicate with the C2 server. [Kazuar](https://attack.mitre.org/software/S0265) can also act as a webserver and listen for inbound HTTP requests through an exposed API.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) uses FTP and FTPS to communicate with the C2 server.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) gathers information about opened windows.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) adds a sub-key under several Registry run keys.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) adds a .lnk file to the Windows startup folder.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) uses cmd.exe to execute commands on the victim\u2019s machine.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) uses /bin/bash to execute commands on the victim\u2019s machine.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) can install itself as a new service.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) can overwrite files with random data before deleting them.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) encodes communications to the C2 server in Base64.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) uploads files from a specified directory to the C2 server.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) stages command output and collected data in files before exfiltration.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) can accept multiple URLs for C2 servers.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) finds a specified directory, lists the files and metadata about those files.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) can delete files.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) downloads additional plug-ins to load on the victim\u2019s machine, including the ability to upgrade and replace its own binary.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) gathers information on local drives.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) is obfuscated using the open source ConfuserEx protector. [Kazuar](https://attack.mitre.org/software/S0265) also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) gathers information about local groups and members.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) obtains a list of running processes through WMI querying and the ps command.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "If running in a Windows environment, [Kazuar](https://attack.mitre.org/software/S0265) saves a DLL to disk that is injected into the explorer.exe process to execute the payload. [Kazuar](https://attack.mitre.org/software/S0265) can also be configured to inject and execute within specific processes.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) has used internal nodes on the compromised network for C2 communications.(Citation: Accenture HyperStack October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1029", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) can sleep for a specific time and be set to communicate at specific intervals.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) captures screenshots of the victim\u2019s screen.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) gathers information on the system.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) gathers information about network adapters.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) gathers information on users.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) captures images from the webcam.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) has used compromised WordPress blogs as C2 servers.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Kazuar](https://attack.mitre.org/software/S0265) obtains a list of running processes through WMI querying.(Citation: Unit 42 Kazuar May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Kazuar", "color": "#66b1ff"}]}