{"description": "Enterprise techniques used by Kwampirs, ATT&CK software S0236 (v1.2)", "name": "Kwampirs (S0236)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of accounts with the command net users.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) creates a new service named WmiApSrvEx to establish persistence.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) decrypts and extracts a copy of its main DLL payload when executing.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) uses a large list of C2 servers that it cycles through until a successful connection is established.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of files and directories in C:\\ with the command dir /s /a c:\\ >> \"C:\\windows\\TEMP\\[RANDOM].tmp\".(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) downloads additional files from C2 servers.(Citation: Symantec Security Center Trojan.Kwampirs)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) establishes persistence by adding a new service with the display name \"WMI Performance Adapter Extension\" in an attempt to masquerade as a legitimate WMI service.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1135", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of network shares with the command net share.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "Before writing to disk, [Kwampirs](https://attack.mitre.org/software/S0236) inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) downloads additional files that are base64-encoded and encrypted with another cipher.(Citation: Symantec Security Center Trojan.Kwampirs)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1201", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects password policy information with the command net accounts.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of users belonging to the local users and administrators groups with the commands net localgroup administrators and net localgroup users.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of domain groups with the command net localgroup /domain.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of running services with the command tasklist /v.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) copies itself over network shares to move laterally on a victim network.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of available servers with the command net view.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) uses rundll32.exe in a Registry value added to establish persistence.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects registered owner details by using the commands systeminfo and net config workstation.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Kwampirs](https://attack.mitre.org/software/S0236) collects a list of running services with the command tasklist /svc.(Citation: Symantec Orangeworm April 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Kwampirs", "color": "#66b1ff"}]}