{"description": "Enterprise techniques used by Ferocious, ATT&CK software S0679 (v1.0)", "name": "Ferocious (S0679)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) can use PowerShell scripts for execution.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) has the ability to use Visual Basic scripts for execution.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) can use COM hijacking to establish persistence.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) can delete files from a compromised host.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) has checked for AV software as part of its persistence process.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Ferocious](https://attack.mitre.org/software/S0679) can run anti-sandbox checks using the Microsoft Excel 4.0 function GET.WORKSPACE to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds.(Citation: Kaspersky WIRTE November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ferocious", "color": "#66b1ff"}]}