{"description": "Enterprise techniques used by Hydraq, ATT&CK software S0203 (v2.0)", "name": "Hydraq (S0203)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can adjust token privileges.(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates new services to establish persistence.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)(Citation: Symantec Hydraq Persistence Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can read data from files.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) C2 traffic is encrypted using bitwise NOT and XOR operations.(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) connects to a predefined domain on port 443 to exfil gathered information.(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can clear all system event logs.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can delete files.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can download files and additional malware components.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. [Hydraq](https://attack.mitre.org/software/S0203)'s backdoor also enables remote attackers to modify and delete subkeys.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) uses basic obfuscation in the form of spaghetti code.(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can monitor processes.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can load and call DLL functions.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can monitor services.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Hydraq](https://attack.mitre.org/software/S0203) uses svchost.exe to execute a malicious DLL included in a new service group.(Citation: Symantec Hydraq Persistence Jan 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Hydraq", "color": "#66b1ff"}]}