{"description": "Enterprise techniques used by InvisiMole, ATT&CK software S0260 (v2.1)", "name": "InvisiMole (S0260)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use fileless UAC bypass and create an elevated COM object to escalate privileges.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to list account information on the victim\u2019s machine.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) uses HTTP for C2 communications.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can enumerate windows and child windows on a compromised host.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) uses WinRAR to compress data that is intended to be exfiltrated.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use zlib to compress and decompress data.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) uses a variation of the XOR cipher to encrypt files before exfiltration.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can record sound using input audio devices.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can place a lnk file in the Startup Folder to achieve persistence.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use a .lnk shortcut for the Control Panel to establish persistence.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can launch a remote shell to execute commands.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use a JavaScript file as part of its execution chain.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use a modified base32 encoding to encode data within the subdomain of C2 requests.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can collect data from the system, and can monitor changes in specified directories.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can collect jpeg files from connected MTP devices.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can mimic HTTP protocol with custom HTTP \u201cverbs\u201d HIDE, ZVVP, and NOP.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) uses variations of a simple XOR encryption routine for C&C communications.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use Data Protection API to encrypt its components on the victim\u2019s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has been configured with several servers available for alternate C2 communications.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can list information about files in a directory and recently opened or used documents. [InvisiMole](https://attack.mitre.org/software/S0260) can also search for specific files by supplied file mask.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can create hidden system directories.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has executed legitimate tools in hidden windows.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to disable routing and the Firewall on the victim\u2019s machine.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has deleted files and directories including XML and files successfully uploaded to C2 servers.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.005", "comment": "\n[InvisiMole](https://attack.mitre.org/software/S0260) can disconnect previously connected remote drives.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) samples were timestomped by the authors by setting the PE timestamps to all zero values. [InvisiMole](https://attack.mitre.org/software/S0260) also has a built-in command to modify file times.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can upload files to the victim's machine for operations.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can can remove all system restore points.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can capture keystrokes on a compromised host.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has attempted to disguise itself by registering under a seemingly legitimate service name.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can use winapiexec tool for indirect execution of  ShellExecuteW and CreateProcessA.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can scan the network for open ports and vulnerable instances of RDP and SMB protocols.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can gather network share information.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has used TCP to download additional modules.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has undergone regular technical improvements in an attempt to evade detection.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can obtain a list of running processes.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.(Citation: ESET InvisiMole June 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can inject its backdoor as a portable executable into a target process.(Citation: ESET InvisiMole June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.015", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has used ListPlanting to inject code into a trusted process.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) InvisiMole can identify proxy servers used by the victim and use them for C2 communication.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can enumerate Registry values, keys, and data.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has used scheduled tasks named MSST and \\Microsoft\\Windows\\Autochk\\Scheduled to establish persistence.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can collect information about installed software used by specific users, software executed on user login, and software executed by each system.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can check for the presence of network sniffers, AV, and BitDefender firewall.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can register itself for execution and persistence via the Control Panel.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has used rundll32.exe for execution.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) lists local users and session information.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can obtain running services on the victim.(Citation: ESET InvisiMole June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) has used Windows services as a way to execute its malicious payload.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) gathers the local system time from the victim\u2019s machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1080", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can deliver trojanized versions of software and documents, relying on user execution.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can remotely activate the victim\u2019s webcam to capture content.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[InvisiMole](https://attack.mitre.org/software/S0260) can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.(Citation: ESET InvisiMole June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by InvisiMole", "color": "#66b1ff"}]}