{"description": "Enterprise techniques used by Bankshot, ATT&CK software S0239 (v1.1)", "name": "Bankshot (S0239)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) gathers domain and account names/information through process monitoring.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) uses HTTP for command and control communication.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) recursively generates a list of files within a directory and sends them back to the control server.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) uses the command-line interface to execute arbitrary commands.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) can terminate a specific process by its process id.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) encodes commands from the control server using a range of characters and gzip.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) collects files from the local system.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) generates a false TLS handshake using a public certificate to disguise C2 network communications.(Citation: MAR10135536-B)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) decodes embedded XOR strings.(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) exfiltrates data over its C2 channel.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims\u2019 machines.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) searches for files on the victim's machine.(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) deletes all artifacts associated with the malware from the infected machine.(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) modifies the time of a file as specified by the control server.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) uploads files and secondary payloads to the victim's machine.(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) writes data into the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj.(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) identifies processes and collects the process ids.(Citation: McAfee Bankshot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) searches for certain Registry keys to be configured before executing the payload.(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Bankshot](https://attack.mitre.org/software/S0239) gathers system information, network addresses, disk type, disk free space, and the operation system version.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Bankshot", "color": "#66b1ff"}]}