{"description": "Enterprise techniques used by VIRTUALPITA, ATT&CK software S1217 (v1.0)", "name": "VIRTUALPITA (S1217)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1037", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) can persist as an init.d startup service on Linux vCenter systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) has the ability to spawn a bash shell for script execution.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) can call a Python script to run commands on a targeted guest virtual machine.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1675", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) can execute commands on guest virtual machines from compromised ESXi hypervisors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) has the ability to upload and download files.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) is capable of file transfer and arbitrary command execution.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) has utilized VMware service names and ports to masquerade as legitimate services.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) samples have been found in `/usr/libexec/setconf/ksmd` and `/usr/bin/ksmd`, named to spoof the legitimate Kernel Same-Page Merging Daemon binary. (Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1571", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) has created listeners on hard coded TCP ports such as 2233, 7475, and 18098.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1690", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) can impair logging by setting the `HISTFILE` environmental variable to `0` and stopping the `vmsyslogd` service.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) can start and stop the `vmsyslogd` service.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1673", "comment": "[VIRTUALPITA](https://attack.mitre.org/software/S1217) can target specific guest virtual machines for script execution.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by VIRTUALPITA", "color": "#66b1ff"}]}