{"description": "Enterprise techniques used by RedLeaves, ATT&CK software S0153 (v1.2)", "name": "RedLeaves (S0153)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can communicate to its C2 over HTTP and HTTPS if directed.(Citation: FireEye APT10 April 2017)(Citation: Accenture Hogfish April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) attempts to add a shortcut file in the Startup folder to achieve persistence.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can receive and execute commands with cmd.exe. It can also provide a reverse shell.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can gather browser usernames and passwords.(Citation: Accenture Hogfish April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can enumerate and search for files and directories.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) is launched through use of DLL search order hijacking to load a malicious dll.(Citation: FireEye APT10 April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can delete specified files.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) is capable of downloading a file from a specified URL.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can use HTTP over non-standard ports, such as 995, for C2.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "A [RedLeaves](https://attack.mitre.org/software/S0153) configuration file is encrypted with a simple XOR key, 0x53.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can capture screenshots.(Citation: FireEye APT10 April 2017)(Citation: Accenture Hogfish April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can obtain information about network parameters.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can enumerate drives and Remote Desktop sessions.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[RedLeaves](https://attack.mitre.org/software/S0153) can obtain information about the logged on user both locally and for Remote Desktop sessions.(Citation: PWC Cloud Hopper Technical Annex April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RedLeaves", "color": "#66b1ff"}]}