{"description": "Enterprise techniques used by Duqu, ATT&CK software S0038 (v1.2)", "name": "Duqu (S0038)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[Duqu](https://attack.mitre.org/software/S0038) examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.(Citation: Kaspersky Duqu 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "The discovery modules used with [Duqu](https://attack.mitre.org/software/S0038) can collect information on accounts and permissions.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "comment": "[Duqu](https://attack.mitre.org/software/S0038) uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1010", "comment": "The discovery modules used with [Duqu](https://attack.mitre.org/software/S0038) can collect information on open windows.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "Modules can be pushed to and executed by [Duqu](https://attack.mitre.org/software/S0038) that copy data to a staging area, compress it, and XOR encrypt it.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Duqu](https://attack.mitre.org/software/S0038) creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "When the [Duqu](https://attack.mitre.org/software/S0038) command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "Modules can be pushed to and executed by [Duqu](https://attack.mitre.org/software/S0038) that copy data to a staging area, compress it, and XOR encrypt it.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "The [Duqu](https://attack.mitre.org/software/S0038) command and control protocol's data stream can be encrypted with AES-CBC.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Duqu](https://attack.mitre.org/software/S0038) can track key presses with a keylogger module.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "The discovery modules used with [Duqu](https://attack.mitre.org/software/S0038) can collect information on process details.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Duqu](https://attack.mitre.org/software/S0038) will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Duqu](https://attack.mitre.org/software/S0038) is capable of loading executable code via process hollowing.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "[Duqu](https://attack.mitre.org/software/S0038) uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Duqu](https://attack.mitre.org/software/S0038) can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "Adversaries can instruct [Duqu](https://attack.mitre.org/software/S0038) to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "Adversaries can instruct [Duqu](https://attack.mitre.org/software/S0038) to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Duqu](https://attack.mitre.org/software/S0038) has used msiexec to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.(Citation: Kaspersky Duqu 2.0)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "The reconnaissance modules used with [Duqu](https://attack.mitre.org/software/S0038) can collect information on network configuration.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "The discovery modules used with [Duqu](https://attack.mitre.org/software/S0038) can collect information on network connections.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "comment": "Adversaries can instruct [Duqu](https://attack.mitre.org/software/S0038) to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.(Citation: Symantec W32.Duqu)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Duqu", "color": "#66b1ff"}]}