{"description": "Enterprise techniques used by Regin, ATT&CK software S0019 (v1.2)", "name": "Regin (S0019)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "The [Regin](https://attack.mitre.org/software/S0019) malware platform supports many standard protocols, including HTTP and HTTPS.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "The [Regin](https://attack.mitre.org/software/S0019) malware platform supports many standard protocols, including SMB.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "The [Regin](https://attack.mitre.org/software/S0019) malware platform uses Extended Attributes to store encrypted executables.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.005", "comment": "[Regin](https://attack.mitre.org/software/S0019) has used a hidden file system to store some of its components.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Regin](https://attack.mitre.org/software/S0019) contains a keylogger.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.001", "comment": "[Regin](https://attack.mitre.org/software/S0019) stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Regin](https://attack.mitre.org/software/S0019) appears to have functionality to modify remote Registry information.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[Regin](https://attack.mitre.org/software/S0019) appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "The [Regin](https://attack.mitre.org/software/S0019) malware platform can use ICMP to communicate between infected computers.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[Regin](https://attack.mitre.org/software/S0019) leveraged several compromised universities as proxies to obscure its origin.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "The [Regin](https://attack.mitre.org/software/S0019) malware platform can use Windows admin shares to move laterally.(Citation: Kaspersky Regin)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Regin", "color": "#66b1ff"}]}