{"description": "Enterprise techniques used by Lizar, ATT&CK software S0681 (v2.0)", "name": "Lizar (S0681)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has encrypted data before sending it to the server.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1217", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can retrieve browser history and database files.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used PowerShell scripts.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a command to open the command-line on the infected system.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used Python scripts (ps2x.py script and ps2p.py) to execute files on remote hosts using the [Impacket](https://attack.mitre.org/software/S0357) library.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a module to collect usernames and passwords stored in browsers.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.004", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using `vaultcmd.exe` and another that can collect RDP access credentials using the `CredEnumerateW` function.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used a complex XOR operation to obfuscate C2 communications.(Citation: SekoiaBourhis_DiceLoader_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has decrypted its configuration data, such as the C2 IP address, ports and other network communication.(Citation: BiZone Lizar May 2021)(Citation: SekoiaBourhis_DiceLoader_Feb2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can support encrypted communications between the client and server.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)(Citation: Cocomazzi FIN7 Reboot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can download additional plugins, files, and tools.(Citation: BiZone Lizar May 2021)(Citation: SekoiaBourhis_DiceLoader_Feb2024)(Citation: Cocomazzi FIN7 Reboot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used various Windows API functions on a victim's machine.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used a raw TCP connection to communicate with the C2 server.(Citation: SekoiaBourhis_DiceLoader_Feb2024)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has obfuscated the fingerprint of the victim system, the local IP address, and the Fowler-Noll-V 1 (FNV-1) hash of the local IP address using an XOR operation. The data is then sent to the C2 server.(Citation: SekoiaBourhis_DiceLoader_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has obtained and used tools such as [Impacket](https://attack.mitre.org/software/S0357), [Mimikatz](https://attack.mitre.org/software/S0002), and [PsExec](https://attack.mitre.org/software/S0029).(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can run [Mimikatz](https://attack.mitre.org/software/S0002) to harvest credentials.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a plugin designed to obtain a list of processes.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can migrate the loader into another process.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can execute PE files in the address space of the specified process.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used the Reflective DLL injection module from Github to inject itself into a process\u2019s memory.(Citation: SekoiaBourhis_DiceLoader_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can take JPEG screenshots of an infected system.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) [Lizar](https://attack.mitre.org/software/S0681) has also used a plugin to take a screenshot of the infected system.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can search for processes associated with an anti-virus product from list.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can collect the computer name from the machine.(Citation: BiZone Lizar May 2021)(Citation: SekoiaBourhis_DiceLoader_Feb2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has retrieved network information from a compromised host, such as the MAC address.(Citation: BiZone Lizar May 2021)(Citation: SekoiaBourhis_DiceLoader_Feb2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a plugin to retrieve information about all active network sessions on the infected server.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can collect the username from the system.(Citation: BiZone Lizar May 2021)(Citation: SekoiaBourhis_DiceLoader_Feb2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Lizar", "color": "#66b1ff"}]}