{"description": "Enterprise techniques used by Winnti for Windows, ATT&CK software S0141 (v3.1)", "name": "Winnti for Windows (S0141)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can use a variant of the sysprep UAC bypass.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) has the ability to use encapsulated HTTP/S in C2 communications.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can add a service named wind0ws to the Registry to achieve persistence after reboot.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) sets its DLL file as a new service in the Registry to establish persistence.(Citation: Microsoft Winnti Jan 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "The [Winnti for Windows](https://attack.mitre.org/software/S0141) dropper can decrypt and decompresses a data blob.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can XOR encrypt C2 traffic.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.001", "comment": "The [Winnti for Windows](https://attack.mitre.org/software/S0141) dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can check for the presence of specific files prior to moving to the next phase of execution.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can delete the DLLs for its various components from a compromised host.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can set the timestamps for its worker and service components to match that of cmd.exe.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "The [Winnti for Windows](https://attack.mitre.org/software/S0141) dropper can place malicious payloads on targeted systems.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "A [Winnti for Windows](https://attack.mitre.org/software/S0141) implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.(Citation: Microsoft Winnti Jan 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can use Native API to create a new process and to start services.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can communicate using custom TCP.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can check if the explorer.exe process is responsible for calling its install function.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "The [Winnti for Windows](https://attack.mitre.org/software/S0141) HTTP/S C2 mode can make use of a local proxy.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "The [Winnti for Windows](https://attack.mitre.org/software/S0141) HTTP/S C2 mode can make use of an external proxy.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "The [Winnti for Windows](https://attack.mitre.org/software/S0141) installer loads a DLL using rundll32.(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can determine if the OS on a compromised host is newer than Windows XP.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Winnti for Windows](https://attack.mitre.org/software/S0141) can run as a service using svchost.exe.(Citation: Novetta Winnti April 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Winnti for Windows", "color": "#66b1ff"}]}