{"description": "Enterprise techniques used by CosmicDuke, ATT&CK software S0050 (v1.1)", "name": "CosmicDuke (S0050)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) can use HTTP or HTTPS for command and control to hard-coded C2 servers.(Citation: F-Secure The Dukes)(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1020", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) exfiltrates collected files automatically over FTP to remote servers.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) copies and exfiltrates the clipboard contents every 30 seconds.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) uses Windows services typically named \"javamtsup\" for persistence.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.(Citation: F-Secure The Dukes)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) collects user credentials, including passwords, for various programs including Web browsers.(Citation: F-Secure The Dukes)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) steals user files from local hard drives with file extensions that match a predefined list.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1039", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) steals user files from network shared drives with file extensions and keywords that match a predefined list.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) steals user files from removable media with file extensions and keywords that match a predefined list.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) contains a custom version of the RC4 algorithm that includes a programming error.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.(Citation: F-Secure The Dukes)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) searches attached and mounted drives for file extensions and keywords that match a predefined list.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) uses a keylogger.(Citation: F-Secure The Dukes)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) collects Windows account hashes.(Citation: F-Secure The Dukes)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) collects LSA secrets.(Citation: F-Secure The Dukes)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) uses scheduled tasks typically named \"Watchmon Service\" for persistence.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[CosmicDuke](https://attack.mitre.org/software/S0050) takes periodic screenshots and exfiltrates them.(Citation: F-Secure Cosmicduke)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CosmicDuke", "color": "#66b1ff"}]}