{"description": "Enterprise techniques used by ComRAT, ATT&CK software S0126 (v1.4)", "name": "ComRAT (S0126)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used HTTP requests for command and control.(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) can use email attachments for command and control.(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used PowerShell to load itself every time a user logs in to the system. [ComRAT](https://attack.mitre.org/software/S0126) can execute PowerShell scripts loaded into memory or from the file system.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used cmd.exe to execute commands.(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. [ComRAT](https://attack.mitre.org/software/S0126) has also used a unique password to decrypt the file used for its hidden file system.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) can use SSL/TLS encryption for its HTTP-based C2 channel. [ComRAT](https://attack.mitre.org/software/S0126) has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32.(Citation: NorthSec 2015 GData Uroburos Tools)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.005", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used a task name associated with Windows SQM Consolidator.(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has modified Registry values to store encrypted orchestrator code and payloads.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) can load a PE file from memory or the file system and execute it with CreateProcessW.(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has encrypted its virtual file system using AES-256 in XTS mode.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has embedded a XOR encrypted communications module inside the orchestrator module.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used encryption and base64 to obfuscate its orchestrator code in the Registry. [ComRAT](https://attack.mitre.org/software/S0126) has also used encoded PowerShell scripts.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has stored encrypted orchestrator code and payloads in the Registry.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has injected its orchestrator DLL into explorer.exe. [ComRAT](https://attack.mitre.org/software/S0126) has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) can check the default browser by querying HKCR\\http\\shell\\open\\command.(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has used a scheduled task to launch its PowerShell loader.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1029", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) can check the victim's default browser to determine which process to inject its communications module into.(Citation: ESET ComRAT May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).(Citation: CISA ComRAT Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[ComRAT](https://attack.mitre.org/software/S0126) has the ability to use the Gmail web UI to receive commands and exfiltrate information.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ComRAT", "color": "#66b1ff"}]}