{"description": "Enterprise techniques used by S-Type, ATT&CK software S0085 (v1.3)", "name": "S-Type (S0085)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has run the command `net user` on a victim.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[S-Type](https://attack.mitre.org/software/S0085) uses HTTP for C2.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[S-Type](https://attack.mitre.org/software/S0085) may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ IMJPMIJ8.1{3 characters of Unique Identifier}.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[S-Type](https://attack.mitre.org/software/S0085) may create the file %HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek {Unique Identifier}.lnk, which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has provided the ability to execute shell commands on a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[S-Type](https://attack.mitre.org/software/S0085) may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6\u201d{Unique Identifier}`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[S-Type](https://attack.mitre.org/software/S0085) uses Base64 encoding for C2 traffic.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has uploaded data and files from a compromised host to its C2 servers.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[S-Type](https://attack.mitre.org/software/S0085) primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has deleted files it has created on a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has deleted accounts it has created.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[S-Type](https://attack.mitre.org/software/S0085) can download additional files onto a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[S-Type](https://attack.mitre.org/software/S0085) may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.(Citation: Cylance Dust Storm)(Citation: Microsoft DTC)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has used Windows APIs, including `GetKeyboardType`, `NetUserAdd`, and `NetUserDel`.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "Some [S-Type](https://attack.mitre.org/software/S0085) samples have been packed with UPX.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "The initial beacon packet for [S-Type](https://attack.mitre.org/software/S0085) contains the operating system version and file system of the victim.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has attempted to determine if a compromised system was using a Japanese keyboard via the `GetKeyboardType` API call.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has used `ipconfig /all` on a compromised host.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[S-Type](https://attack.mitre.org/software/S0085) has run tests to determine the privilege level of the compromised user.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[S-Type](https://attack.mitre.org/software/S0085) runs the command net start on a victim.(Citation: Cylance Dust Storm)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by S-Type", "color": "#66b1ff"}]}