{"description": "Enterprise techniques used by ADVSTORESHELL, ATT&CK software S0045 (v1.1)", "name": "ADVSTORESHELL (S0045)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.(Citation: Kaspersky Sofacy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) compresses output data generated by command execution with a custom implementation of the Lempel\u2013Ziv\u2013Welch (LZW) algorithm.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) achieves persistence by adding itself to the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can create a remote shell and run a given command.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "C2 traffic from [ADVSTORESHELL](https://attack.mitre.org/software/S0045) is encrypted, then encoded with Base64 encoding.(Citation: Kaspersky Sofacy)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) stores output from command execution in a .dat file in the %TEMP% directory.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "A variant of [ADVSTORESHELL](https://attack.mitre.org/software/S0045) encrypts some C2 with 3DES.(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "A variant of [ADVSTORESHELL](https://attack.mitre.org/software/S0045) encrypts some C2 with RSA.(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "Some variants of [ADVSTORESHELL](https://attack.mitre.org/software/S0045) achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) exfiltrates data over the same channel used for C2.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can list files and directories.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can delete files and directories.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can perform keylogging.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is capable of setting and deleting Registry values.(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is capable of starting a process using CreateProcess.(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "Most of the strings in [ADVSTORESHELL](https://attack.mitre.org/software/S0045) are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.(Citation: Kaspersky Sofacy)(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can list connected devices.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can list running processes.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can enumerate registry keys.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1029", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) has used rundll32.exe in a Registry value to establish persistence.(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[ADVSTORESHELL](https://attack.mitre.org/software/S0045) can run [Systeminfo](https://attack.mitre.org/software/S0096) to gather information about the victim.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ADVSTORESHELL", "color": "#66b1ff"}]}