{"description": "Enterprise techniques used by ThiefQuest, ATT&CK software S0595 (v1.2)", "name": "ThiefQuest (S0595)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uploads files via unencrypted HTTP. (Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.002", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uses [AppleScript](https://attack.mitre.org/techniques/T1059/002)'s osascript -e command to launch [ThiefQuest](https://attack.mitre.org/software/S0595)'s persistence via [Launch Agent](https://attack.mitre.org/techniques/T1543/001) and [Launch Daemon](https://attack.mitre.org/techniques/T1543/004). (Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) searches through the /Users/ folder looking for executable files. For each executable, [ThiefQuest](https://attack.mitre.org/software/S0595) prepends a copy of itself to the beginning of the file. When the file is executed, the [ThiefQuest](https://attack.mitre.org/software/S0595) code is executed first. [ThiefQuest](https://attack.mitre.org/software/S0595) creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior. (Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder.(Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543.004", "comment": "When running with root privileges after a [Launch Agent](https://attack.mitre.org/techniques/T1543/001) is installed, [ThiefQuest](https://attack.mitre.org/software/S0595) installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon. (Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.(Citation: wardle evilquest partii)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. [ThiefQuest](https://attack.mitre.org/software/S0595) also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.(Citation: wardle evilquest partii)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.(Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) hides a copy of itself in the user's ~/Library directory by using a . at the beginning of the file name followed by 9 random characters.(Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) can download and execute payloads in-memory or from disk.(Citation: wardle evilquest partii)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uses the CGEventTap functions to perform keylogging.(Citation: Trendmicro Evolving ThiefQuest 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uses various API to perform behaviors such as executing payloads and performing local enumeration.(Citation: wardle evilquest partii)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) obtains a list of running processes using the function kill_unwanted.(Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads.(Citation: wardle evilquest partii)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of \u201cunwanted\u201d security related programs, and kills the processes for security related programs.(Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[ThiefQuest](https://attack.mitre.org/software/S0595) invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.(Citation: wardle evilquest parti)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ThiefQuest", "color": "#66b1ff"}]}