{"description": "Enterprise techniques used by DustySky, ATT&CK software S0062 (v1.1)", "name": "DustySky (S0062)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[DustySky](https://attack.mitre.org/software/S0062) has used both HTTP and HTTPS for C2.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[DustySky](https://attack.mitre.org/software/S0062) can compress files via RAR while staging data to be exfiltrated.(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[DustySky](https://attack.mitre.org/software/S0062) achieves persistence by creating a Registry entry in HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[DustySky](https://attack.mitre.org/software/S0062) created folders in temp directories to host collected files before exfiltration.(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[DustySky](https://attack.mitre.org/software/S0062) has exfiltrated data to the C2 server.(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[DustySky](https://attack.mitre.org/software/S0062) has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[DustySky](https://attack.mitre.org/software/S0062) scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[DustySky](https://attack.mitre.org/software/S0062) can delete files it creates from the infected system.(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[DustySky](https://attack.mitre.org/software/S0062) contains a keylogger.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "[DustySky](https://attack.mitre.org/software/S0062) searches for network drives and removable media and duplicates itself onto them.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "The [DustySky](https://attack.mitre.org/software/S0062) dropper uses a function to obfuscate the name of functions and other parts of the malware.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[DustySky](https://attack.mitre.org/software/S0062) can detect connected USB devices.(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[DustySky](https://attack.mitre.org/software/S0062) collects information about running processes from victims.(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[DustySky](https://attack.mitre.org/software/S0062) searches for removable media and duplicates itself onto it.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[DustySky](https://attack.mitre.org/software/S0062) captures PNG screenshots of the main screen.(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[DustySky](https://attack.mitre.org/software/S0062) lists all installed software for the infected machine.(Citation: Kaspersky MoleRATs April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[DustySky](https://attack.mitre.org/software/S0062) checks for the existence of anti-virus.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[DustySky](https://attack.mitre.org/software/S0062) extracts basic information about the operating system.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "The [DustySky](https://attack.mitre.org/software/S0062) dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.(Citation: DustySky)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DustySky", "color": "#66b1ff"}]}