{"description": "Enterprise techniques used by Woody RAT, ATT&CK software S1065 (v1.2)", "name": "Woody RAT (S1065)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can identify administrator accounts on an infected machine.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can communicate with its C2 server using HTTP requests.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can execute PowerShell commands and scripts with the use of .NET DLL, `WoodyPowerSession`.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can execute commands using `cmd.exe`.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can collect information from a compromised host.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can deobfuscate Base64-encoded strings and scripts.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) has suppressed all error reporting by calling `SetErrorMode` with 0x8007 as a parameter.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can use AES-CBC to encrypt data sent to its C2 server.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can use RSA-4096 to encrypt data sent to its C2 server.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can exfiltrate files from an infected machine to its C2 server.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) has relied on CVE-2022-30190 (Follina) for execution during delivery.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can download files from its C2 server, including the .NET DLLs, `WoodySharpExecutor` and `WoodyPowerSession`.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can retrieve information about storage drives from an infected machine.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can use multiple native APIs, including `WriteProcessMemory`, `CreateProcess`, and `CreateRemoteThread` for process injection.(Citation: MalwareBytes WoodyRAT Aug 2022)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) has used Base64 encoded strings and scripts.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) has been delivered via malicious Word documents and archive files.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can call `NtQuerySystemProcessInformation` with `SystemProcessInformation` to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can create a suspended notepad process and write shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can search registry keys to identify antivirus programs on an compromised host.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) has the ability to take a screenshot of the infected host desktop using Windows GDI+.(Citation: MalwareBytes WoodyRAT Aug 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can collect .NET, PowerShell, and Python information from an infected host.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can detect Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos antivirus programs.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, and environment variables.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can retrieve network interface and proxy information.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can make `Ping` GET HTTP requests to its C2 server at regular intervals for network connectivity checks.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) can retrieve a list of user accounts and usernames from an infected machine.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Woody RAT](https://attack.mitre.org/software/S1065) has relied on users opening a malicious email attachment for execution.(Citation: MalwareBytes WoodyRAT Aug 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Woody RAT", "color": "#66b1ff"}]}