{"description": "Enterprise techniques used by BACKSPACE, ATT&CK software S0031 (v1.1)", "name": "BACKSPACE (S0031)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) uses HTTP as a transport to communicate with its command server.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "Adversaries can direct [BACKSPACE](https://attack.mitre.org/software/S0031) to execute from the command line on infected hosts, or have [BACKSPACE](https://attack.mitre.org/software/S0031) create a reverse shell.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "Newer variants of [BACKSPACE](https://attack.mitre.org/software/S0031) will encode C2 communications with a custom system.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "Adversaries can direct [BACKSPACE](https://attack.mitre.org/software/S0031) to upload files to the C2 Server.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) allows adversaries to search for files.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "The \"ZR\" variant of [BACKSPACE](https://attack.mitre.org/software/S0031) will check to see if known host-based firewalls are installed on the infected systems. [BACKSPACE](https://attack.mitre.org/software/S0031) will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) is capable of deleting Registry keys, sub-keys, and values on a victim system.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1104", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) may collect information about running processes.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "The \"ZJ\" variant of [BACKSPACE](https://attack.mitre.org/software/S0031) allows \"ZJ link\" infections with Internet access to relay traffic from \"ZJ listen\" to a command server.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[BACKSPACE](https://attack.mitre.org/software/S0031) is capable of enumerating and making modifications to an infected system's Registry.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "During its initial execution, [BACKSPACE](https://attack.mitre.org/software/S0031) extracts operating system information from the infected host.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BACKSPACE", "color": "#66b1ff"}]}