{"description": "Enterprise techniques used by Flame, ATT&CK software S0143 (v1.1)", "name": "Flame (S0143)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1123", "comment": "[Flame](https://attack.mitre.org/software/S0143) can record audio using any existing hardware recording devices.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.002", "comment": "[Flame](https://attack.mitre.org/software/S0143) can use Windows Authentication Packages for persistence.(Citation: Crysys Skywiper)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[Flame](https://attack.mitre.org/software/S0143) can create backdoor accounts with login \u201cHelpAssistant\u201d on domain connected systems if appropriate rights are available.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1011", "showSubtechniques": true}, {"techniqueID": "T1011.001", "comment": "[Flame](https://attack.mitre.org/software/S0143) has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity.(Citation: Symantec Beetlejuice)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1210", "comment": "[Flame](https://attack.mitre.org/software/S0143) can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.010", "comment": "[Flame](https://attack.mitre.org/software/S0143) can create backdoor accounts with login `HelpAssistant` on domain connected systems if appropriate rights are available.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "[Flame](https://attack.mitre.org/software/S0143) contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.(Citation: Kaspersky Flame)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Flame](https://attack.mitre.org/software/S0143) can take regular screenshots when certain applications are open that are sent to the command and control server.(Citation: Kaspersky Flame)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Flame](https://attack.mitre.org/software/S0143) identifies security software such as antivirus through the Security module.(Citation: Kaspersky Flame)(Citation: Kaspersky Flame Functionality)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "Rundll32.exe is used as a way of executing [Flame](https://attack.mitre.org/software/S0143) at the command-line.(Citation: Crysys Skywiper)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Flame", "color": "#66b1ff"}]}