{"description": "Enterprise techniques used by Remsec, ATT&CK software S0125 (v1.4)", "name": "Remsec (S0125)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can obtain a list of users.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Remsec](https://attack.mitre.org/software/S0125) is capable of using HTTP and HTTPS for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[Remsec](https://attack.mitre.org/software/S0125) is capable of using SMTP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)(Citation: Threatpost Sauron)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[Remsec](https://attack.mitre.org/software/S0125) is capable of using DNS for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.011", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can use modules written in Lua for execution.(Citation: Kaspersky Lua)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1025", "comment": "[Remsec](https://attack.mitre.org/software/S0125) has a package that collects documents from any inserted USB sticks.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1652", "comment": "[Remsec](https://attack.mitre.org/software/S0125) has a plugin to detect active drivers of some security products.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.(Citation: Kaspersky ProjectSauron Full Report)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1052", "showSubtechniques": true}, {"techniqueID": "T1052.001", "comment": "[Remsec](https://attack.mitre.org/software/S0125) contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.(Citation: Kaspersky ProjectSauron Full Report)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1068", "comment": "[Remsec](https://attack.mitre.org/software/S0125) has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Remsec](https://attack.mitre.org/software/S0125) is capable of listing contents of folders on the victim. [Remsec](https://attack.mitre.org/software/S0125) also searches for custom network encryption software on victims.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can add or remove applications or ports on the Windows firewall or disable it entirely.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Remsec](https://attack.mitre.org/software/S0125) is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Remsec](https://attack.mitre.org/software/S0125) contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Remsec](https://attack.mitre.org/software/S0125) contains a keylogger component.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "The [Remsec](https://attack.mitre.org/software/S0125) loader implements itself with the name Security Support Provider, a legitimate Windows function. Various [Remsec](https://attack.mitre.org/software/S0125) .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. [Remsec](https://attack.mitre.org/software/S0125) also disguised malicious modules using similar filenames as custom network encryption software on victims.(Citation: ComputerWeekly Strider)(Citation: Kaspersky ProjectSauron Full Report)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.002", "comment": "[Remsec](https://attack.mitre.org/software/S0125) harvests plain-text credentials as a password filter registered on domain controllers.(Citation: Kaspersky ProjectSauron Full Report)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "[Remsec](https://attack.mitre.org/software/S0125) has a plugin that can perform ARP scanning as well as port scanning.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Remsec](https://attack.mitre.org/software/S0125) is capable of using ICMP, TCP, and UDP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "Some data in [Remsec](https://attack.mitre.org/software/S0125) is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can dump the SAM database.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can obtain a process list from the victim.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can perform DLL injection.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can ping or traceroute a remote host.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "comment": "[Remsec](https://attack.mitre.org/software/S0125) schedules the execution one of its modules by creating a new scheduler task.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Remsec](https://attack.mitre.org/software/S0125) has a plugin detect security products via active drivers.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can obtain a list of active connections and open ports.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Remsec](https://attack.mitre.org/software/S0125) can obtain information about the current user.(Citation: Kaspersky ProjectSauron Technical Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Remsec", "color": "#66b1ff"}]}