{"description": "Enterprise techniques used by PoisonIvy, ATT&CK software S0012 (v2.2)", "name": "PoisonIvy (S0012)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1010", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) captures window titles.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates run key Registry entries pointing to a malicious executable dropped to disk.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.014", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a Registry key in the Active Setup pointing to a malicious executable.(Citation: Microsoft PoisonIvy 2017)(Citation: paloalto Tropic Trooper 2016)(Citation: FireEye Regsvr32 Targeting Mongolian Gov)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a backdoor through which remote attackers can open a command-line interface.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a Registry subkey that registers a new service. [PoisonIvy](https://attack.mitre.org/software/S0012) also creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a backdoor through which remote attackers can steal system information.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) stages collected data in a text file.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) uses the Camellia cipher to encrypt communications.(Citation: FireEye Poison Ivy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a mutex using either a custom or default value.(Citation: FireEye Poison Ivy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a backdoor through which remote attackers can upload files.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) contains a keylogger.(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) creates a Registry subkey that registers a new system device.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) hides any strings related to its own indicators of compromise.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) can inject a malicious DLL into a process.(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[PoisonIvy](https://attack.mitre.org/software/S0012) starts a rootkit from a malicious file dropped to disk.(Citation: Symantec Darkmoon Aug 2005)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PoisonIvy", "color": "#66b1ff"}]}