{"description": "Enterprise techniques used by SpeakUp, ATT&CK software S0374 (v1.2)", "name": "SpeakUp (S0374)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses POST and GET requests over HTTP to communicate with its main C&C server. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses Perl scripts.(Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses Python scripts.(Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) encodes C&C communication using Base64. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) deletes files to remove evidence on the machine. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) downloads and executes additional files from a remote server. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) checks for availability of specific ports on servers.(Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) encodes its second-stage payload with Base64. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.003", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses cron tasks to ensure persistence. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses the cat /proc/cpuinfo | grep -c \u201ccpu family\u201d 2>&1 command to gather system information. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses the ifconfig -a command. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses the arp -a command. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[SpeakUp](https://attack.mitre.org/software/S0374) uses the whoami command. (Citation: CheckPoint SpeakUp Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SpeakUp", "color": "#66b1ff"}]}