{"description": "Enterprise techniques used by OutSteel, ATT&CK software S1017 (v2.0)", "name": "OutSteel (S1017)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) has used HTTP for C2 communications.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can automatically scan for and collect files with specific extensions.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can automatically upload collected files to its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) has used `cmd.exe` to scan a compromised host for specific file extensions.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.010", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) was developed using the AutoIT scripting language.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can collect information from a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can upload files from a compromised host over its C2 channel.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can search for specific file extensions, including zipped files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can delete itself following the successful execution of a follow-on payload.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can download files from its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can download the [Saint Bot](https://attack.mitre.org/software/S1018) malware for follow-on execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) attempts to download and execute [Saint Bot](https://attack.mitre.org/software/S1018) to a statically-defined location attempting to mimic svchost: %TEMP%\\\\svjhost.exe.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) has been distributed as a malicious attachment within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) has been distributed through malicious links contained within spearphishing emails.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) can identify running processes on a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) has relied on a user to click a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[OutSteel](https://attack.mitre.org/software/S1017) has relied on a user to execute a malicious attachment delivered via spearphishing.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by OutSteel", "color": "#66b1ff"}]}