{"description": "Enterprise techniques used by KOCTOPUS, ATT&CK software S0669 (v1.2)", "name": "KOCTOPUS (S0669)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) will perform UAC bypass either through fodhelper.exe or eventvwr.exe.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) can set the AutoRun Registry key with a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has used PowerShell commands to download additional files.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has used `cmd.exe` and batch files for execution.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has used VBScript to call wscript to execute a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has deobfuscated itself before executing its commands.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has used -WindowsStyle Hidden to hide the command window.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) can delete created registry keys used for persistence as part of its cleanup procedure.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has executed a PowerShell command to download a file to the system.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has been disguised as legitimate software programs associated with the travel and airline industries.(Citation: Arghire LazyScripter) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has added and deleted keys from the Registry.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) can use the `LoadResource` and `CreateProcessW` APIs for execution.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has obfuscated scripts with the BatchEncryption tool.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has been distributed via spearphishing emails with malicious attachments.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has been distributed as a malicious link within an email.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has checked the OS version using `wmic.exe` and the `find` command.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has relied on victims clicking on a malicious link delivered via email.(Citation: MalwareBytes LazyScripter Feb 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[KOCTOPUS](https://attack.mitre.org/software/S0669) has relied on victims clicking a malicious document for execution.(Citation: MalwareBytes LazyScripter Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by KOCTOPUS", "color": "#66b1ff"}]}