{"description": "Enterprise techniques used by NETWIRE, ATT&CK software S0198 (v1.6)", "name": "NETWIRE (S0198)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to communicate over HTTP.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can discover and close windows on controlled systems.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to compress archived screenshots.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has used a custom encryption algorithm to encrypt collected data.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can automatically archive collected data.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) creates a Registry start-up entry to establish persistence.(Citation: McAfee Netwire Mar 2015)(Citation: Red Canary NETWIRE January 2020)(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.013", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can use XDG Autostart Entries to establish persistence on Linux systems.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.015", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can persist via startup options for Login items.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "The [NETWIRE](https://attack.mitre.org/software/S0198) binary has been executed via PowerShell script.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can issue commands using cmd.exe.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to use /bin/bash and /bin/sh to execute commands.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has been executed through use of VBScripts.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can use launch agents for persistence.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can retrieve passwords from messaging and mail client applications.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to write collected data to a file created in the ./LOGS directory.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can encrypt C2 communications.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can use AES encryption for C2 data transferred.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has the ability to search for files on the compromised host.(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can copy itself to and launch itself from hidden folders.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can downloaded payloads from C2 to the compromised host.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can perform keylogging.(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.001", "comment": "The [NETWIRE](https://attack.mitre.org/software/S0198) client has been signed by fake and invalid digital certificates.(Citation: McAfee Netwire Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has masqueraded as legitimate software including TeamViewer and macOS Finder.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can modify the Registry to store its configuration information.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can use TCP in C2 communications.(Citation: Red Canary NETWIRE January 2020)(Citation: Unit 42 NETWIRE April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.(Citation: FireEye NETWIRE March 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has used .NET packer tools to evade detection.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can store its configuration information in the Registry under `HKCU:\\Software\\Netwire`.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has been spread via e-mail campaigns utilizing malicious attachments.(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has been spread via e-mail campaigns utilizing malicious links.(Citation: Unit 42 NETWIRE April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can discover processes on compromised hosts.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "The [NETWIRE](https://attack.mitre.org/software/S0198) payload has been injected into benign Microsoft executables via process hollowing.(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can implement use of proxies to pivot traffic.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.003", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can use crontabs to establish persistence.(Citation: Red Canary NETWIRE January 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can create a scheduled task to establish persistence.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can capture the victim's screen.(Citation: McAfee Netwire Mar 2015)(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can discover and collect victim system information.(Citation: McAfee Netwire Mar 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can collect the IP address of a compromised host.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) can capture session logon details from a compromised host.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has been executed through convincing victims into clicking malicious links.(Citation: FireEye NETWIRE March 2019)(Citation: Unit 42 NETWIRE April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has been executed through luring victims into opening malicious documents.(Citation: FireEye NETWIRE March 2019)(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[NETWIRE](https://attack.mitre.org/software/S0198) has used web services including Paste.ee to host payloads.(Citation: FireEye NETWIRE March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by NETWIRE", "color": "#66b1ff"}]}