{"description": "Enterprise techniques used by BBSRAT, ATT&CK software S0127 (v1.2)", "name": "BBSRAT (S0127)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) can compress data with ZLIB prior to sending it back to the C2 server.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) can modify service configurations.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) uses [Expand](https://attack.mitre.org/software/S0361) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) uses a custom encryption algorithm on data sent back to the C2 server over HTTP.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system's CPU architecture.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) can list file and directory information.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "DLL side-loading has been used to execute [BBSRAT](https://attack.mitre.org/software/S0127) through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with [BBSRAT](https://attack.mitre.org/software/S0127) by the dropper.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) can delete files and directories.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) can list running processes.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) has been seen loaded into msiexec.exe through process hollowing to hide its execution.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1007", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) can query service configuration information.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[BBSRAT](https://attack.mitre.org/software/S0127) can start, stop, or delete services.(Citation: Palo Alto Networks BBSRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BBSRAT", "color": "#66b1ff"}]}