{"description": "Enterprise techniques used by BlackEnergy, ATT&CK software S0089 (v1.4)", "name": "BlackEnergy (S0089)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) communicates with its C2 server over HTTP.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "The [BlackEnergy](https://attack.mitre.org/software/S0089) 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "The [BlackEnergy](https://attack.mitre.org/software/S0089) 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "One variant of [BlackEnergy](https://attack.mitre.org/software/S0089) creates a new service using either a hard-coded or randomly generated name.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1485", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) 2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents.(Citation: Securelist BlackEnergy Feb 2015)(Citation: ESET BlackEnergy Jan 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has the capability to communicate over a backup channel via plus.google.com.(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. [BlackEnergy](https://attack.mitre.org/software/S0089) has searched for given file types.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.010", "comment": "One variant of [BlackEnergy](https://attack.mitre.org/software/S0089) locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "The [BlackEnergy](https://attack.mitre.org/software/S0089) component KillDisk is capable of deleting Windows Event Logs.(Citation: ESEST Black Energy Jan 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has run a keylogger plug-in on a victim.(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has conducted port scans on a host.(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) can gather very specific information about attached USB devices, to include device instance ID and drive geometry.(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has gathered a process list by using [Tasklist](https://attack.mitre.org/software/S0057).exe.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)(Citation: ESET BlackEnergy Jan 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) injects its DLL component into svchost.exe.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has run a plug-in on a victim to spread through the local network by using [PsExec](https://attack.mitre.org/software/S0029) and accessing admin shares.(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) is capable of taking screenshots.(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.006", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has enabled the TESTSIGNING boot configuration option to facilitate loading of a driver component.(Citation: F-Secure BlackEnergy 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has used [Systeminfo](https://attack.mitre.org/software/S0096) to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has gathered information about network IP configurations using [ipconfig](https://attack.mitre.org/software/S0100).exe and about routing tables using [route](https://attack.mitre.org/software/S0103).exe.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has gathered information about local network connections using [netstat](https://attack.mitre.org/software/S0104).(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[BlackEnergy](https://attack.mitre.org/software/S0089) has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "A [BlackEnergy](https://attack.mitre.org/software/S0089) 2 plug-in uses WMI to gather victim host details.(Citation: Securelist BlackEnergy Feb 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BlackEnergy", "color": "#66b1ff"}]}