{"description": "Enterprise techniques used by Milan, ATT&CK software S1015 (v1.1)", "name": "Milan (S1015)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Milan](https://attack.mitre.org/software/S1015) has run `C:\\Windows\\system32\\cmd.exe /c cmd /c dir c:\\users\\ /s 2>&1` to discover local accounts.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Milan](https://attack.mitre.org/software/S1015) can use HTTPS for communication with C2.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[Milan](https://attack.mitre.org/software/S1015) has the ability to use DNS for C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Milan](https://attack.mitre.org/software/S1015) can use `cmd.exe` for discovery actions on a targeted system.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Milan](https://attack.mitre.org/software/S1015) can upload files from a compromised host.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Milan](https://attack.mitre.org/software/S1015) has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Milan](https://attack.mitre.org/software/S1015) can use hardcoded domains as an input for domain generation algorithms.(Citation: Accenture Lyceum Targets November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Milan](https://attack.mitre.org/software/S1015) can delete files via `C:\\Windows\\system32\\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q`.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Milan](https://attack.mitre.org/software/S1015) has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Milan](https://attack.mitre.org/software/S1015) can use a COM component to generate scheduled tasks.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[Milan](https://attack.mitre.org/software/S1015) has used an executable named `companycatalogue` to appear benign.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.007", "comment": "[Milan](https://attack.mitre.org/software/S1015) has used an executable named `companycatalog.exe.config` to appear benign.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Milan](https://attack.mitre.org/software/S1015) can use the API `DnsQuery_A` for DNS resolution.(Citation: Kaspersky Lyceum October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Milan](https://attack.mitre.org/software/S1015) can encode files containing information about the targeted system.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "[Milan](https://attack.mitre.org/software/S1015) can use a custom protocol tunneled through DNS or HTTP.(Citation: Kaspersky Lyceum October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Milan](https://attack.mitre.org/software/S1015) can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID.(Citation: Accenture Lyceum Targets November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Milan](https://attack.mitre.org/software/S1015) can establish persistence on a targeted host with scheduled tasks.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Milan](https://attack.mitre.org/software/S1015) can enumerate the targeted machine's name and GUID.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Milan](https://attack.mitre.org/software/S1015) can run `C:\\Windows\\system32\\cmd.exe /c cmd /c ipconfig /all 2>&1` to discover network settings.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Milan](https://attack.mitre.org/software/S1015) can identify users registered to a targeted machine.(Citation: ClearSky Siamesekitten August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Milan", "color": "#66b1ff"}]}