{"description": "Enterprise techniques used by Skidmap, ATT&CK software S0468 (v1.1)", "name": "Skidmap (S0468)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.004", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.006", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to install several loadable kernel modules (LKMs) on infected machines.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has used pm.sh to download and install its main payload.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to download, unpack, and decrypt tar.gz files .(Citation: Trend Micro Skidmap) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to set SELinux to permissive mode.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has checked for the existence of specific files including /usr/sbin/setenforce and  /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. (Citation: Trend Micro Skidmap) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to download files on an infected host.(Citation: Trend Micro Skidmap) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has created a fake rm binary to replace the legitimate Linux binary.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.003", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has encrypted it's main payload using 3DES.(Citation: Trend Micro Skidmap) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has monitored critical processes to ensure resiliency.(Citation: Trend Micro Skidmap) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1496", "showSubtechniques": true}, {"techniqueID": "T1496.001", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.003", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has installed itself via crontab.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.(Citation: Trend Micro Skidmap) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Skidmap](https://attack.mitre.org/software/S0468) has the ability to check whether the infected system\u2019s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.(Citation: Trend Micro Skidmap)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Skidmap", "color": "#66b1ff"}]}