{"description": "Enterprise techniques used by DEADEYE, ATT&CK software S1052 (v1.1)", "name": "DEADEYE (S1052)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) can run `cmd /c copy /y /b C:\\Users\\public\\syslog_6-*.dat C:\\Users\\public\\syslog.dll` to combine separated sections of code into a single DLL prior to execution.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) has the ability to combine multiple sections of a binary which were broken up to evade detection into a single .dll prior to execution.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) can ensure it executes only on intended systems by identifying the victim's volume serial number, hostname, and/or DNS domain.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "The DEADEYE.EMBED variant of [DEADEYE](https://attack.mitre.org/software/S1052) can embed its payload in an alternate data stream of a local file.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) has used `schtasks /change` to modify scheduled tasks including `\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor`, `\\Microsoft\\Windows\\Ras\\ManagerMobility, \\Microsoft\\Windows\\WDI\\SrvSetupResults`, and `\\Microsoft\\Windows\\WDI\\USOShared`.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) can execute the `GetComputerNameA` and `GetComputerNameExA` WinAPI functions.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "\nThe DEADEYE.EMBED variant of [DEADEYE](https://attack.mitre.org/software/S1052) has the ability to embed payloads inside of a compiled binary.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) has encrypted its payload.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) can use `msiexec.exe` for execution of malicious DLL.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) can use `rundll32.exe` for execution of living off the land binaries (lolbin) such as `SHELL32.DLL`.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) can enumerate a victim computer's volume serial number and host name.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[DEADEYE](https://attack.mitre.org/software/S1052) can discover the DNS domain name of a targeted system.(Citation: Mandiant APT41)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DEADEYE", "color": "#66b1ff"}]}