{"description": "Enterprise techniques used by Crimson, ATT&CK software S0115 (v1.3)", "name": "Crimson (S0115)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can use a HTTP GET request to download its final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can perform audio surveillance using microphones.(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can add Registry run keys for persistence.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Crimson](https://attack.mitre.org/software/S0115) has the ability to execute commands with the COMSPEC environment variable.(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a module to steal credentials from Web browsers on the victim machine.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can collect information from a compromised host.(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a module to collect data from removable drives.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can decode its encoded PE file prior to execution.(Citation: Proofpoint Operation Transparent Tribe March 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a command to collect and exfiltrate emails from Outlook.(Citation: Proofpoint Operation Transparent Tribe March 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can exfiltrate stolen information over its C2.(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Crimson](https://attack.mitre.org/software/S0115) has the ability to delete files from a compromised host.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)\t ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a command to retrieve files from its C2 server.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can use a module to perform keylogging on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can set a Registry key to determine how long it has been installed and possibly to indicate the version number.(Citation: Proofpoint Operation Transparent Tribe March 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Crimson](https://attack.mitre.org/software/S0115) uses a custom TCP protocol for C2.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)\t ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[Crimson](https://attack.mitre.org/software/S0115) has the ability to discover pluggable/removable drives to extract files from.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a command to list processes.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)\t ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can check the Registry for the presence of HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\last_edate to determine how long it has been installed on a host.(Citation: Proofpoint Operation Transparent Tribe March 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can spread across systems by infecting removable media.(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a command to perform screen captures.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a command to collect information about anti-virus software on the victim.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a command to collect the victim PC name, disk drive information, and operating system.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can identify the geographical location of a victim host.(Citation: Kaspersky Transparent Tribe August 2020)\t ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Crimson](https://attack.mitre.org/software/S0115) contains a command to collect the victim MAC address and LAN IP.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can identify the user on a targeted system.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Crimson](https://attack.mitre.org/software/S0115) has the ability to determine the date and time on a compromised host.(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can capture webcam video on targeted systems.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Crimson](https://attack.mitre.org/software/S0115) can determine when it has been installed on a host for at least 15 days before downloading the final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Crimson", "color": "#66b1ff"}]}