{"description": "Enterprise techniques used by PlugX, ATT&CK software S0013 (v3.2)", "name": "PlugX (S0013)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be configured to use HTTP for command and control.(Citation: Dell TG-3390)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be configured to use DNS for command and control.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) adds Run key entries in the Registry to establish persistence.(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[PlugX](https://attack.mitre.org/software/S0013) allows actors to spawn a reverse shell on a victim.(Citation: Dell TG-3390)(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be added as a service to establish persistence. [PlugX](https://attack.mitre.org/software/S0013) also has a module to change service configurations as well as start, control, and delete services.(Citation: CIRCL PlugX March 2013)(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: Proofpoint ZeroT Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[PlugX](https://attack.mitre.org/software/S0013) decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.(Citation: CIRCL PlugX March 2013)(Citation: Trend Micro DRBControl February 2020)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can use RC4 encryption in C2 communications.(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to enumerate drives and find files recursively.(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can modify the characteristics of folders to hide them from the compromised user.(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has the ability to use DLL search order hijacking for installation on targeted systems.(Citation: Proofpoint TA416 Europe March 2022) [PlugX](https://attack.mitre.org/software/S0013) has also used DLL side-loading to evade anti-virus.(Citation: FireEye Clandestine Fox Part 2)(Citation: Dell TG-3390)(Citation: Stewart 2014)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Palo Alto PlugX June 2017)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has modified local firewall rules on victim machines to enable a random, high-number listening port for subsequent access and C2 activity.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to download and execute files on the compromised machine.(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module for capturing keystrokes per process including window titles.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "In one instance, [menuPass](https://attack.mitre.org/groups/G0045) added [PlugX](https://attack.mitre.org/software/S0013) as a service with a display name of \"Corel Writing Tools Utility.\"(Citation: FireEye APT10 April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has been disguised as legitimate Adobe and PotPlayer files.(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to create, delete, or modify Registry keys.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process.(Citation: Lastline PlugX Analysis)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to enumerate network shares.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be configured to use raw TCP or UDP for command and control.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has used random, high-number, non-standard ports to listen for subsequent actions and C2 activities.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can use API hashing and modify the names of strings to evade detection.(Citation: Trend Micro DRBControl February 2020)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to list the processes running on a machine.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can enumerate and query for information contained within the Windows Registry.(Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[PlugX](https://attack.mitre.org/software/S0013) allows the operator to capture screenshots.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1127", "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "A version of [PlugX](https://attack.mitre.org/software/S0013) loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.(Citation: Palo Alto PlugX June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) checks if VMware tools is running in the background by searching for any process named \"vmtoolsd\".(Citation: Unit42 PlugX June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) uses Pastebin to store C2 addresses.(Citation: Palo Alto PlugX June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PlugX", "color": "#66b1ff"}]}