{"description": "Enterprise techniques used by Backdoor.Oldrea, ATT&CK software S0093 (v2.0)", "name": "Backdoor.Oldrea (S0093)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) collects address book information from Outlook.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) adds Registry Run keys to achieve persistence.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "Some [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) samples contain a publicly available Web browser password recovery tool.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "Some [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) contains a cleanup module that removes traces of itself from the victim.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) can download additional modules from C2.(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) can use a network scanning module to identify ICS-related ports.(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) collects information about running processes.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) injects itself into explorer.exe.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) can enumerate and map ICS-specific systems in victim environments.(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) can use rundll32 for execution on compromised hosts.(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) collects information about the OS and computer name.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) collects information about the Internet adapter configuration.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) collects the current username from the victim.(Citation: Symantec Dragonfly)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Backdoor.Oldrea", "color": "#66b1ff"}]}