{"description": "Enterprise techniques used by LITTLELAMB.WOOLTEA, ATT&CK software S1121 (v1.1)", "name": "LITTLELAMB.WOOLTEA (S1121)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1554", "comment": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can append malicious components to the `tmp/tmpmnt/bin/samba_upgrade.tar` archive inside the factory reset partition in attempt to persist post reset.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "comment": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can initialize itself as a daemon to run persistently in the background.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can communicate over SSL using the private key from the Ivanti Connect Secure web server.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can monitor for system upgrade events by checking for the presence of `/tmp/data/root/dev`.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can function as a stand-alone backdoor communicating over the `/tmp/clientsDownload.sock` socket.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) has the ability to function as a SOCKS proxy.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[LITTLELAMB.WOOLTEA](https://attack.mitre.org/software/S1121) can check the type of Ivanti VPN device it is running on by executing `first_run()` to identify the first four bytes of the motherboard serial number.(Citation: Mandiant Cutting Edge Part 3 February 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LITTLELAMB.WOOLTEA", "color": "#66b1ff"}]}