{"description": "Enterprise techniques used by TA2541, ATT&CK group G1018 (v1.1)", "name": "TA2541 (G1018)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has registered domains often containing the keywords \u201ckimjoy,\u201d \u201ch0pe,\u201d and \u201cgrace,\u201d using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has hosted malicious files on various platforms including Google Drive, OneDrive, Discord, PasteText, ShareText, and GitHub.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used PowerShell to download files and to inject into various Windows processes.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used dynamic DNS services for C2 infrastructure.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used TLS encrypted C2 communications including for campaigns using AsyncRAT.(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018)  has attempted to disable built-in security protections such as Windows AMSI. (Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "\n[TA2541](https://attack.mitre.org/groups/G1018) has used malicious scripts and macros with the ability to download additional payloads.(Citation: Cisco Operation Layover September 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used file names to mimic legitimate Windows files or system functionality.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used a .NET packer to obfuscate malicious files.(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "\n[TA2541](https://attack.mitre.org/groups/G1018) has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "\n[TA2541](https://attack.mitre.org/groups/G1018) has used commodity remote access tools.(Citation: Cisco Operation Layover September 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has sent phishing emails with malicious attachments for initial access including MS Word documents.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used spearphishing e-mails with malicious links to deliver malware.  (Citation: Proofpoint TA2541 February 2022)(Citation: Telefonica Snip3 December 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has injected malicious code into legitimate .NET related processes including  regsvcs.exe, msbuild.exe, and installutil.exe.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used process hollowing to execute CyberGate malware.(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used scheduled tasks to establish persistence for installed tools.(Citation: Proofpoint TA2541 February 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used tools to search victim systems for security products such as antivirus and firewall software.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has uploaded malware to various platforms including Google Drive, Pastetext, Sharetext, and GitHub.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "\n[TA2541](https://attack.mitre.org/groups/G1018) has used `mshta` to execute scripts including VBS.(Citation: Cisco Operation Layover September 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has collected system information prior to downloading malware on the targeted host.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "\n[TA2541](https://attack.mitre.org/groups/G1018) has run scripts to check internet connectivity from compromised hosts. (Citation: Cisco Operation Layover September 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used malicious links to cloud and web services to gain execution on victim machines.(Citation: Proofpoint TA2541 February 2022)(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used macro-enabled MS Word documents to lure victims into executing malicious payloads.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[TA2541](https://attack.mitre.org/groups/G1018) has used WMI to query targeted systems for security products.(Citation: Proofpoint TA2541 February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TA2541", "color": "#66b1ff"}]}