{"description": "Enterprise techniques used by SplatCloak, ATT&CK software S1234 (v1.0)", "name": "SplatCloak (S1234)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1685", "comment": "[SplatCloak](https://attack.mitre.org/software/S1234) has identified and disabled API callback features of Windows Defender and Kaspersky.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[SplatCloak](https://attack.mitre.org/software/S1234) has used Windows API to identify files associated with Windows Defender and Kaspersky.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.001", "comment": "[SplatCloak](https://attack.mitre.org/software/S1234) has used a revoked certificate to exploit Windows driver execution policy where certificates issued before a specific date could still load.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[SplatCloak](https://attack.mitre.org/software/S1234) has utilized Native Windows API calls dynamically through `ZwQuerySystemInformation`.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[SplatCloak](https://attack.mitre.org/software/S1234) has identified drivers of AV solutions by searching for related filenames, keywords and signed certificates.(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SplatCloak](https://attack.mitre.org/software/S1234) has collected the Windows build number using the windows kernel API `RtlGetVersion` to determine if the response is 19000 or higher (Windows 10 version 2004 or later).(Citation: Zscaler PAKLOG CorkLog SplatCloak Splatdropper April 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SplatCloak", "color": "#66b1ff"}]}