{"description": "Enterprise techniques used by Imminent Monitor, ATT&CK software S0434 (v1.1)", "name": "Imminent Monitor (S0434)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1123", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a remote microphone monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a PasswordRecoveryPacket module for recovering browser passwords.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has decoded malware components that are then dropped to the system.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a feature to disable Windows Task Manager.(Citation: Imminent Unit42 Dec2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has uploaded a file containing debugger logs, network information and system information to the C2.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a dynamic debugging feature to set the file attribute to hidden.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has deleted files related to its dynamic debugger feature.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a keylogging module.(Citation: Imminent Unit42 Dec2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has leveraged CreateProcessW() call to execute the debugger.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a \"Process Watcher\" feature to monitor processes in case the client ever crashes or gets closed.(Citation: Imminent Unit42 Dec2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a module for performing remote desktop access.(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1496", "showSubtechniques": true}, {"techniqueID": "T1496.001", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has the capability to run a cryptocurrency miner on the victim machine.(Citation: Imminent Unit42 Dec2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[Imminent Monitor](https://attack.mitre.org/software/S0434) has a remote webcam monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: QiAnXin APT-C-36 Feb2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Imminent Monitor", "color": "#66b1ff"}]}