{"description": "Enterprise techniques used by LOWBALL, ATT&CK software S0042 (v1.1)", "name": "LOWBALL (S0042)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[LOWBALL](https://attack.mitre.org/software/S0042) command and control occurs via HTTPS over port 443.(Citation: FireEye admin@338)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[LOWBALL](https://attack.mitre.org/software/S0042) uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the [LOWBALL](https://attack.mitre.org/software/S0042) malware.(Citation: FireEye admin@338)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[LOWBALL](https://attack.mitre.org/software/S0042) uses the Dropbox cloud storage service for command and control.(Citation: FireEye admin@338)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LOWBALL", "color": "#66b1ff"}]}