{"description": "Enterprise techniques used by AppleSeed, ATT&CK software S0622 (v1.1)", "name": "AppleSeed (S0622)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can gain system level privilege by passing SeDebugPrivilege to the AdjustTokenPrivilege API.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to communicate with C2 over HTTP.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has compressed collected data before exfiltration.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can zip and encrypt data collected on a target system.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce to establish persistence.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to execute its payload via PowerShell.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to use JavaScript to execute PowerShell.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can collect data on a compromised host.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can find and collect data from removable media devices.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can stage files in a central location prior to exfiltration.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1030", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has divided files if the size is 0x1000000 bytes or more.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can decode its payload prior to execution.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can exfiltrate files via the C2 channel.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has exfiltrated files using web services.(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can use a second channel for C2 when the primary channel is in upload mode.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can delete files from a compromised host after they are exfiltrated.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can use GetKeyState and GetKeyboardState to capture keystrokes on the victim\u2019s machine.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can disguise JavaScript files as PDFs.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to use multiple dynamically resolved API calls.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has the ability to Base64 encode its payload and custom encrypt API calls.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has used UPX packers for its payload DLL.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) has been distributed to victims through malicious e-mail attachments.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can enumerate the current process on a compromised host.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can take screenshots on a compromised host by calling a series of APIs.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can call regsvr32.exe for execution.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can identify the OS version of a targeted system.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can identify the IP of a targeted system.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can pull a timestamp from the victim's machine.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[AppleSeed](https://attack.mitre.org/software/S0622) can achieve execution through users running malicious file attachments distributed via email.(Citation: Malwarebytes Kimsuky June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by AppleSeed", "color": "#66b1ff"}]}