{"description": "Enterprise techniques used by NETEAGLE, ATT&CK software S0034 (v1.1)", "name": "NETEAGLE (S0034)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "comment": "Adversaries can also use [NETEAGLE](https://attack.mitre.org/software/S0034) to establish an RDP connection with a controller over TCP/7519.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) will attempt to detect if the infected host is configured to a proxy. If so, [NETEAGLE](https://attack.mitre.org/software/S0034) will send beacons via an HTTP POST request. [NETEAGLE](https://attack.mitre.org/software/S0034) will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "The \"SCOUT\" variant of [NETEAGLE](https://attack.mitre.org/software/S0034) achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) allows adversaries to execute shell commands on the infected host.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\"(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) is capable of reading files over the C2 channel.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) will attempt to detect if the infected host is configured to a proxy. If so, [NETEAGLE](https://attack.mitre.org/software/S0034) will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "If [NETEAGLE](https://attack.mitre.org/software/S0034) does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, [NETEAGLE](https://attack.mitre.org/software/S0034) will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[NETEAGLE](https://attack.mitre.org/software/S0034) can send process listings over the C2 channel.(Citation: FireEye APT30)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by NETEAGLE", "color": "#66b1ff"}]}