{"description": "Enterprise techniques used by Carbanak, ATT&CK software S0030 (v1.1)", "name": "Carbanak (S0030)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "The [Carbanak](https://attack.mitre.org/software/S0030) malware communicates to its command server using HTTP with an encrypted payload.(Citation: Kaspersky Carbanak)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) has a command to create a reverse shell.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) can create a Windows account.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) encodes the message body of HTTP traffic with Base64.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1030", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) exfiltrates data in compressed chunks if a message is larger than 4096 bytes .(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) encrypts the message body of HTTP traffic with RC2 (in CBC mode). [Carbanak](https://attack.mitre.org/software/S0030) also uses XOR with random keys for its communications.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) has a command to delete files.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) logs key strokes for configured processes and sends them back to the C2 server.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) encrypts strings to make analysis more difficult.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) obtains Windows logon password details.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) lists running processes.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) downloads an executable and injects it directly into a new process.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) checks the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings for proxy configurations information.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) has a plugin for VNC and Ammyy Admin Tool.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) enables concurrent Remote Desktop Protocol (RDP) sessions.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Carbanak](https://attack.mitre.org/software/S0030) performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.(Citation: FireEye CARBANAK June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Carbanak", "color": "#66b1ff"}]}