{"description": "Enterprise techniques used by Daserf, ATT&CK software S0187 (v1.1)", "name": "Daserf (S0187)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Daserf](https://attack.mitre.org/software/S0187) uses HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Daserf](https://attack.mitre.org/software/S0187) hides collected data in password-protected .rar archives.(Citation: Symantec Tick Apr 2016)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Daserf](https://attack.mitre.org/software/S0187) hides collected data in password-protected .rar archives.(Citation: Symantec Tick Apr 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Daserf](https://attack.mitre.org/software/S0187) can execute shell commands.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Daserf](https://attack.mitre.org/software/S0187) uses custom base64 encoding to obfuscate HTTP traffic.(Citation: Secureworks BRONZE BUTLER Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "[Daserf](https://attack.mitre.org/software/S0187) can use steganography to hide malicious code downloaded to the victim.(Citation: Trend Micro Daserf Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Daserf](https://attack.mitre.org/software/S0187) uses RC4 encryption to obfuscate HTTP traffic.(Citation: Secureworks BRONZE BUTLER Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Daserf](https://attack.mitre.org/software/S0187) can download remote files.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Daserf](https://attack.mitre.org/software/S0187) can log keystrokes.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Daserf](https://attack.mitre.org/software/S0187) uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.(Citation: Symantec Tick Apr 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Daserf](https://attack.mitre.org/software/S0187) uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.(Citation: Trend Micro Daserf Nov 2017)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "A version of [Daserf](https://attack.mitre.org/software/S0187) uses the MPRESS packer.(Citation: Trend Micro Daserf Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "Analysis of [Daserf](https://attack.mitre.org/software/S0187) has shown that it regularly undergoes technical improvements to evade anti-virus detection.(Citation: Trend Micro Daserf Nov 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Daserf](https://attack.mitre.org/software/S0187) leverages [Mimikatz](https://attack.mitre.org/software/S0002) and [Windows Credential Editor](https://attack.mitre.org/software/S0005) to steal credentials.(Citation: Symantec Tick Apr 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Daserf](https://attack.mitre.org/software/S0187) can take screenshots.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "Some [Daserf](https://attack.mitre.org/software/S0187) samples were signed with a stolen digital certificate.(Citation: Symantec Tick Apr 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Daserf", "color": "#66b1ff"}]}