{"description": "Enterprise techniques used by ZxxZ, ATT&CK software S1013 (v1.1)", "name": "ZxxZ (S1013)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1005", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) can collect data from a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has used a XOR key to decrypt strings.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) can download and execute additional files.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has been disguised as a Windows security update service.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has been encoded to avoid detection from static analysis tools.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has created a snapshot of running processes using `CreateToolhelp32Snapshot`.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) can search the registry of a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has used scheduled tasks for persistence and execution.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has collected the host name and operating system product name from a compromised machine.(Citation: Cisco Talos Bitter Bangladesh May 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) can collect the username from a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[ZxxZ](https://attack.mitre.org/software/S1013) has relied on victims to open a malicious attachment delivered via email.(Citation: Cisco Talos Bitter Bangladesh May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ZxxZ", "color": "#66b1ff"}]}