{"description": "Enterprise techniques used by Saint Bot, ATT&CK software S1018 (v2.0)", "name": "Saint Bot (S1018)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has attempted to bypass UAC using `fodhelper.exe` to escalate privileges.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used HTTP for C2 communications.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has established persistence by being copied to the Startup directory or through the `\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used PowerShell for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used `cmd.exe` and `.bat` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used `.vbs` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used Base64 to encode its C2 communications.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can collect files and information from a compromised host.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used `is_debugger_present` as part of its environmental checks.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can deobfuscate strings and files for execution.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can search a compromised host for specific files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) will use the malicious file slideshow.mp4 if present to load the core API provided by ntdll.dll to avoid any hooks placed on calls to the original ntdll.dll file by endpoint detection and response or antimalware software.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can run a batch script named `del.bat` to remove any [Saint Bot](https://attack.mitre.org/software/S1018) payload-linked files from a compromise system if anti-analysis or locale checks fail.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can download additional files onto a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has been disguised as a legitimate executable, including as Windows SDK.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used different API calls, including `GetProcAddress`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateProcessA`, and `SetThreadContext`.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has been obfuscated to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has been packed using a dark market crypter.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has been distributed as malicious attachments within spearphishing emails.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has been distributed through malicious links contained within spearphishing emails.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has enumerated running processes on a compromised host to determine if it is running under the process name `dfrgui.exe`.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has injected its DLL component into `EhStorAurhn.exe`.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "The [Saint Bot](https://attack.mitre.org/software/S1018) loader has used API calls to spawn `MSBuild.exe` in a suspended state before injecting the decrypted [Saint Bot](https://attack.mitre.org/software/S1018) binary into it.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used `check_registry_keys` as part of its environmental checks.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has created a scheduled task named \"Maintenance\" to establish persistence.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.004", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) had used `InstallUtil.exe` to download and deploy executables.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used `regsvr32` to execute scripts.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can identify the OS version, CPU, and other details from a victim's machine.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can collect the IP address of a victim machine.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) can collect the username from a compromised host.(Citation: Malwarebytes Saint Bot April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has relied on users to click on a malicious link delivered via a spearphishing.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has relied on users to execute a malicious attachment delivered via spearphishing.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has run several virtual machine and sandbox checks, including checking if `Sbiedll.dll` is present in a list of loaded modules, comparing the machine name to `HAL9TH` and the user name to `JohnDoe`, and checking the BIOS version for known virtual machine identifiers.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Saint Bot](https://attack.mitre.org/software/S1018) has used the command `timeout 20` to pause the execution of its initial loader.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Saint Bot", "color": "#66b1ff"}]}