{"description": "Enterprise techniques used by WEBC2, ATT&CK software S0109 (v2.0)", "name": "WEBC2 (S0109)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[WEBC2](https://attack.mitre.org/software/S0109) can open an interactive command shell.(Citation: Mandiant APT1)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "Variants of [WEBC2](https://attack.mitre.org/software/S0109) achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\\WINDOWS\\ntshrui.dll).(Citation: Mandiant APT1 Appendix)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[WEBC2](https://attack.mitre.org/software/S0109) can download and execute a file.(Citation: Mandiant APT1)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by WEBC2", "color": "#66b1ff"}]}