{"description": "Enterprise techniques used by Velvet Ant, ATT&CK group G1047 (v1.0)", "name": "Velvet Ant (G1047)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has used reverse SSH tunnels to communicate to victim devices.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1037", "showSubtechniques": true}, {"techniqueID": "T1037.004", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) used a modified `/etc/rc.local` file on compromised F5 BIG-IP devices to maintain persistence.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) used a custom tool, VELVETSTING, to parse encoded inbound commands to compromised F5 BIG-IP devices and then execute them via the Unix shell.(Citation: Sygnia VelvetAnt 2024A) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) sent commands to compromised F5 BIG-IP devices in an encoded format requiring a passkey before interpretation and execution.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has used a reverse SSH shell to securely communicate with victim devices.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1211", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) exploited CVE-2024-20399 in Cisco Switches to which the threat actor was already able to authenticate in order to escape the NX-OS command line interface and gain access to the underlying operating system for arbitrary command execution.(Citation: Sygnia VelvetAnt 2024B)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has leveraged access to internet-facing remote services to compromise and retain access to victim environments.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has enumerated local files and folders on victim devices.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as [PlugX](https://attack.mitre.org/software/S0013).(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) attempted to disable local security tools and endpoint detection and response (EDR) software during operations.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) modified system firewall settings during [PlugX](https://attack.mitre.org/software/S0013) installation using `netsh.exe` to open a listening, random high number port on victim devices.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) transferred files laterally within victim networks through the [Impacket](https://attack.mitre.org/software/S0357) toolkit.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) used a malicious DLL, `iviewers.dll`, that mimics the legitimate \"OLE/COM Object Viewer\" within Windows.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1040", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has used a custom tool, \"VELVETTAP\", to perform packet capture from compromised F5 BIG-IP devices.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has used random high number ports for [PlugX](https://attack.mitre.org/software/S0013) listeners on victim devices.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) initial execution included launching multiple `svchost` processes and injecting code into them.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has tunneled traffic from victims through an internal, compromised host to proxy communications to command and control nodes.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has transferred tools within victim environments using SMB.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1049", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) has enumerated existing network connections on victim devices.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) executed and installed [PlugX](https://attack.mitre.org/software/S0013) as a Windows service.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) accessed vulnerable Cisco switch devices using accounts with administrator privileges.(Citation: Sygnia VelvetAnt 2024B)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Velvet Ant](https://attack.mitre.org/groups/G1047) used the `wmiexec.py` tool within [Impacket](https://attack.mitre.org/software/S0357) for remote process execution via WMI.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Velvet Ant", "color": "#66b1ff"}]}