{"description": "Enterprise techniques used by GravityRAT, ATT&CK software S0237 (v1.3)", "name": "GravityRAT (S0237)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) uses HTTP for C2.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) executes commands remotely on the infected host.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) steals files based on an extension list if a USB drive is connected to the system.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) has been delivered via Word documents using DDE for execution.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1571", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) has used HTTP over a non-standard port, such as TCP port 46769.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "The author of [GravityRAT](https://attack.mitre.org/software/S0237) submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) supports file encryption (AES with the key \"lolomycin2017\").(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) lists the running processes on the system.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) creates a scheduled task to ensure it is re-executed everyday.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) collects the MAC address, computer name, and CPU information.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) collects the victim IP address, MAC address, as well as the victim account domain name.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) uses the netstat command to find open ports on the victim\u2019s machine.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) collects the victim username along with other account information (account type, description, full name, SID and status).(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) has a feature to list the available services on the system.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) can obtain the date and time of a system.(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) uses WMI to check the BIOS and manufacturer information for strings like \"VMWare\", \"Virtual\", and \"XEN\" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. (Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[GravityRAT](https://attack.mitre.org/software/S0237) collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).(Citation: Talos GravityRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by GravityRAT", "color": "#66b1ff"}]}