{"description": "Enterprise techniques used by ROKRAT, ATT&CK software S0240 (v2.3)", "name": "ROKRAT (S0240)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can use HTTP and HTTPS for command and control communication.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can use  the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing.(Citation: Talos ROKRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1123", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) has an audio capture and eavesdropping module.(Citation: Securelist ScarCruft May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can extract clipboard data from a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) has used Visual Basic for execution.(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can steal credentials stored in Web browsers by querying the sqlite database.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.004", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can steal credentials by leveraging the Windows Vault mechanism.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can collect host data and specific file types.(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1622", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can check for debugging tools.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can decrypt strings using the victim's hostname as the key.(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.001", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) relies on a specific victim hostname to execute and decrypt important strings.(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can send collected files back over same C2 channel.(Citation: Talos ROKRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can send collected data to cloud storage services such as PCloud.(Citation: Malwarebytes RokRAT VBA January 2021)(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) has the ability to gather a list of files and directories on the infected system.(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can request to delete files.(Citation: NCCGroup RokRat Nov 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can retrieve additional malicious payloads from its C2 server.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can use  `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes.(Citation: Talos ROKRAT)(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can modify the `HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\` registry key so it can bypass the VB object model (VBOM) on a compromised host.(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can use a variety of API calls to execute shellcode.(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can encrypt data prior to exfiltration by using an RSA public key.(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can list the current running processes on the system.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`.(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can access the HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can capture screenshots of the infected system using the `gdi32` library.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can gather the hostname and the OS version to ensure it doesn\u2019t run on a Windows XP or Windows Server 2003 systems.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can collect the username from a compromised host.(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) can check for VMware-related files and DLLs related to sandboxes.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[ROKRAT](https://attack.mitre.org/software/S0240) has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.(Citation: Talos ROKRAT)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ROKRAT", "color": "#66b1ff"}]}