{"description": "Enterprise techniques used by Gazer, ATT&CK software S0168 (v1.3)", "name": "Gazer (S0168)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Gazer](https://attack.mitre.org/software/S0168) communicates with its C2 servers over HTTP.(Citation: ESET Gazer Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Gazer](https://attack.mitre.org/software/S0168) can establish persistence by creating a .lnk file in the Start menu.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": "[Gazer](https://attack.mitre.org/software/S0168) can establish persistence by setting the value \u201cShell\u201d with \u201cexplorer.exe, %malware_pathfile%\u201d under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon.(Citation: ESET Gazer Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Gazer](https://attack.mitre.org/software/S0168) can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Gazer](https://attack.mitre.org/software/S0168) uses custom encryption for C2 that uses 3DES.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Gazer](https://attack.mitre.org/software/S0168) uses custom encryption for C2 that uses RSA.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.002", "comment": "[Gazer](https://attack.mitre.org/software/S0168) can establish persistence through the system screensaver by configuring it to execute the malware.(Citation: ESET Gazer Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[Gazer](https://attack.mitre.org/software/S0168) creates a mutex using the hard-coded value `{531511FA-190D-5D85-8A4A-279F2F592CC7}` to ensure that only one instance of itself is running.(Citation: ESET Gazer Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "[Gazer](https://attack.mitre.org/software/S0168) stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.(Citation: ESET Gazer Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Gazer](https://attack.mitre.org/software/S0168) has commands to delete files and persistence mechanisms from the victim.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "For early [Gazer](https://attack.mitre.org/software/S0168) versions, the compilation timestamp was faked.(Citation: ESET Gazer Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Gazer](https://attack.mitre.org/software/S0168) can execute a task to download a file.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Gazer](https://attack.mitre.org/software/S0168) logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[Gazer](https://attack.mitre.org/software/S0168) injects its communication module into an Internet accessible process through which it performs C2.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.003", "comment": "[Gazer](https://attack.mitre.org/software/S0168) performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Gazer](https://attack.mitre.org/software/S0168) can establish persistence by creating a scheduled task.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Gazer](https://attack.mitre.org/software/S0168) versions are signed with various valid certificates; one was likely faked and issued by Comodo for \"Solid Loop Ltd,\" and another was issued for \"Ultimate Computer Support Ltd.\"(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[Gazer](https://attack.mitre.org/software/S0168) obtains the current user's security identifier.(Citation: Securelist WhiteBear Aug 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Gazer", "color": "#66b1ff"}]}