{"description": "Enterprise techniques used by CORESHELL, ATT&CK software S0137 (v2.1)", "name": "CORESHELL (S0137)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) can communicate over HTTP for C2.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) can communicate over SMTP and POP3 for C2.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) C2 messages are Base64-encoded.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) downloads another dropper from its C2 server.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) obfuscates strings using a custom stream cipher.(Citation: FireEye APT28)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) contains unused machine instructions in a likely attempt to hinder analysis.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) is installed via execution of rundll32 with an export named \"init\" or \"InitW.\"(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[CORESHELL](https://attack.mitre.org/software/S0137) collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CORESHELL", "color": "#66b1ff"}]}