{"description": "Enterprise techniques used by SharpDisco, ATT&CK software S1089 (v1.0)", "name": "SharpDisco (S1089)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) has the ability to transfer data between SMB shares.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) can use `cmd.exe` to execute plugins and to send command output to  specified SMB shares.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) has dropped a recent-files stealer plugin to `C:\\Users\\Public\\WinSrcNT\\It11.exe`.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) can load a plugin to exfiltrate stolen files to SMB shares also used in C2.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) can identify recently opened files by using an LNK format parser to extract the original file path from LNK files found in either `%USERPROFILE%\\Recent` (Windows XP) or `%APPDATA%\\Microsoft\\Windows\\Recent` (newer Windows versions) .(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) can hide windows using `ProcessWindowStyle.Hidden`.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) has been used to download a Python interpreter to `C:\\Users\\Public\\WinTN\\WinTN.exe` as well as other plugins from external sources.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) can use a plugin to enumerate system drives.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) can leverage Native APIs through plugins including `GetLogicalDrives`.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) has dropped a plugin to monitor external drives to `C:\\Users\\Public\\It3.exe`.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[SharpDisco](https://attack.mitre.org/software/S1089) can create scheduled tasks to execute reverse shells that read and write data to and from specified SMB shares.(Citation: MoustachedBouncer ESET August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SharpDisco", "color": "#66b1ff"}]}