{"description": "Enterprise techniques used by StarProxy, ATT&CK software S1227 (v1.0)", "name": "StarProxy (S1227)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1059", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has used the command line for execution of commands.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic.  [StarProxy](https://attack.mitre.org/software/S1227) used FakeTLS to communicate with its C2 server.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has decrypted network packets using a custom algorithm.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has leveraged two 256-byte XOR keys to encrypt and decrypt  network packets using a custom algorithm.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has been side-loaded by the legitimate, signed executable, IsoBurner.exe. (Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has used native windows API calls such as `GetLocalTime()` to retrieve system data.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has used TCP for C2 communications to target IPs or domains.  [StarProxy](https://attack.mitre.org/software/S1227) contained code to support both UDP and TCP connections.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has proxied traffic between infected devices and their C2 servers.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[StarProxy](https://attack.mitre.org/software/S1227) has utilized the windows API call `GetLocalTime()` to retrieve a SystemTime structure to generate a seed value.(Citation: Zscaler)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by StarProxy", "color": "#66b1ff"}]}