{"description": "Enterprise techniques used by RTM, ATT&CK software S0148 (v1.2)", "name": "RTM (S0148)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[RTM](https://attack.mitre.org/software/S0148) can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[RTM](https://attack.mitre.org/software/S0148) has initiated connections to external domains using HTTPS.(Citation: Unit42 Redaman January 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[RTM](https://attack.mitre.org/software/S0148) monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[RTM](https://attack.mitre.org/software/S0148) tries to add a Registry Run key under the name \"Windows Update\" to establish persistence.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[RTM](https://attack.mitre.org/software/S0148) collects data from the clipboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RTM](https://attack.mitre.org/software/S0148) uses the command line and rundll32.exe to execute.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "comment": "[RTM](https://attack.mitre.org/software/S0148) has resolved [Pony](https://attack.mitre.org/software/S0453) C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.(Citation: CheckPoint Redaman October 2019)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[RTM](https://attack.mitre.org/software/S0148) encrypts C2 traffic with a custom RC4 variant.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[RTM](https://attack.mitre.org/software/S0148) can check for specific files and directories associated with virtualization and malware analysis.(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[RTM](https://attack.mitre.org/software/S0148) can delete all files created during its execution.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[RTM](https://attack.mitre.org/software/S0148) has the ability to remove Registry entries that it created for persistence.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[RTM](https://attack.mitre.org/software/S0148) can download additional files.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[RTM](https://attack.mitre.org/software/S0148) can record keystrokes from both the keyboard and virtual keyboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[RTM](https://attack.mitre.org/software/S0148) can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[RTM](https://attack.mitre.org/software/S0148) has been delivered as archived Windows executable files masquerading as PDF documents.(Citation: Unit42 Redaman January 2019)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[RTM](https://attack.mitre.org/software/S0148) has named the scheduled task it creates \"Windows Update\".(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[RTM](https://attack.mitre.org/software/S0148) can delete all Registry entries created during its execution.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[RTM](https://attack.mitre.org/software/S0148) can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[RTM](https://attack.mitre.org/software/S0148) used Port 44443 for its VNC module.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[RTM](https://attack.mitre.org/software/S0148) strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": " [RTM](https://attack.mitre.org/software/S0148) has been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[RTM](https://attack.mitre.org/software/S0148) can obtain a list of smart card readers attached to the victim.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[RTM](https://attack.mitre.org/software/S0148) has been delivered via spearphishing attachments disguised as PDF documents.(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[RTM](https://attack.mitre.org/software/S0148) can obtain information about process integrity levels.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "[RTM](https://attack.mitre.org/software/S0148) has the capability to download a VNC module from command and control (C2).(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[RTM](https://attack.mitre.org/software/S0148) tries to add a scheduled task to establish persistence.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[RTM](https://attack.mitre.org/software/S0148) can capture screenshots.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[RTM](https://attack.mitre.org/software/S0148) can scan victim drives to look for specific banking software on the machine to determine next actions.(Citation: ESET RTM Feb 2017)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[RTM](https://attack.mitre.org/software/S0148) can obtain information about security software on the victim.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[RTM](https://attack.mitre.org/software/S0148) samples have been signed with a code-signing certificates.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.004", "comment": "[RTM](https://attack.mitre.org/software/S0148) can add a certificate to the Windows store.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[RTM](https://attack.mitre.org/software/S0148) runs its core DLL file using rundll32.exe.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[RTM](https://attack.mitre.org/software/S0148) can obtain the computer name, OS version, and default language identifier.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[RTM](https://attack.mitre.org/software/S0148) can obtain the victim username and permissions.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[RTM](https://attack.mitre.org/software/S0148) can obtain the victim time zone.(Citation: ESET RTM Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[RTM](https://attack.mitre.org/software/S0148) has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[RTM](https://attack.mitre.org/software/S0148) can detect if it is running within a sandbox or other virtualized analysis environment.(Citation: Unit42 Redaman January 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[RTM](https://attack.mitre.org/software/S0148) has used an RSS feed on Livejournal to update a list of encrypted C2 server names. [RTM](https://attack.mitre.org/software/S0148) has also hidden [Pony](https://attack.mitre.org/software/S0453) C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.(Citation: ESET RTM Feb 2017)(Citation: CheckPoint Redaman October 2019)(Citation: Unit42 Redaman January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RTM", "color": "#66b1ff"}]}