{"description": "Enterprise techniques used by BLACKCOFFEE, ATT&CK software S0069 (v1.1)", "name": "BLACKCOFFEE (S0069)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) has the capability to create a reverse shell.(Citation: FireEye APT17)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) has the capability to enumerate files.(Citation: FireEye APT17)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) has the capability to delete files.(Citation: FireEye APT17)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1104", "comment": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) uses Microsoft\u2019s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims\u2019 machines.(Citation: FireEye APT17)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) has the capability to discover processes.(Citation: FireEye APT17)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) uses Microsoft\u2019s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.(Citation: FireEye APT17)(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[BLACKCOFFEE](https://attack.mitre.org/software/S0069) has also obfuscated its C2 traffic as normal traffic to sites such as Github.(Citation: FireEye APT17)(Citation: FireEye Periscope March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BLACKCOFFEE", "color": "#66b1ff"}]}