{"description": "Enterprise techniques used by ANDROMEDA, ATT&CK software S1074 (v1.0)", "name": "ANDROMEDA (S1074)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ANDROMEDA](https://attack.mitre.org/software/S1074) has the ability to make GET requests to download files from C2.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[ANDROMEDA](https://attack.mitre.org/software/S1074) can establish persistence by dropping a sample of itself to `C:\\ProgramData\\Local Settings\\Temp\\mskmde.com` and adding a Registry run key to execute every time a user logs on.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[ANDROMEDA](https://attack.mitre.org/software/S1074) can download additional payloads from C2.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[ANDROMEDA](https://attack.mitre.org/software/S1074) has been installed to `C:\\Temp\\TrustedInstaller.exe` to mimic a legitimate Windows installer service.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[ANDROMEDA](https://attack.mitre.org/software/S1074) has been delivered through a LNK file disguised as a folder.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[ANDROMEDA](https://attack.mitre.org/software/S1074) can inject into the `wuauclt.exe` process to perform C2 actions.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[ANDROMEDA](https://attack.mitre.org/software/S1074) has been spread via infected USB keys.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ANDROMEDA", "color": "#66b1ff"}]}