{"description": "Enterprise techniques used by RATANKBA, ATT&CK software S0241 (v1.1)", "name": "RATANKBA (S0241)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uses the net user command.(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uses HTTP/HTTPS for command and control communication.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "There is a variant of [RATANKBA](https://attack.mitre.org/software/S0241) that uses a PowerShell script instead of the traditional PE form.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uses cmd.exe to execute commands.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uploads and downloads information.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) lists the system\u2019s processes.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) performs a reflective DLL injection using a given pid.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uses the command reg query \u201cHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\InternetSettings\u201d.(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) runs the net view /domain and net view commands.(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) gathers information about the OS architecture, OS name, and OS version/Service pack.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) gathers the victim\u2019s IP address via the ipconfig -all command.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uses netstat -ano to search for specific IP address ranges.(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) runs the whoami and query user commands.(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uses tasklist /svc to display running tasks.(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[RATANKBA](https://attack.mitre.org/software/S0241) uses WMI to perform process monitoring.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RATANKBA", "color": "#66b1ff"}]}