{"description": "Enterprise techniques used by QuasarRAT, ATT&CK software S0262 (v2.1)", "name": "QuasarRAT (S0262)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "\n[QuasarRAT](https://attack.mitre.org/software/S0262) can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "If the [QuasarRAT](https://attack.mitre.org/software/S0262) client process does not have administrator privileges it will add a registry key to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` for persistence.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can launch a remote shell to execute commands on the victim\u2019s machine.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can obtain passwords from common FTP clients.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can obtain passwords from common web browsers.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can retrieve files from compromised client machines.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) uses AES with a hardcoded pre-shared key to encrypt network communication.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "\n[QuasarRAT](https://attack.mitre.org/software/S0262) has the ability to set file attributes to \"hidden\" to hide files from the compromised user's view in Windows File Explorer.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A` though [QuasarRAT](https://attack.mitre.org/software/S0262) can only be run on Windows systems.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can download files to the victim\u2019s machine and execute them.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) has a built-in keylogger.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) has a command to edit the Registry on the victim\u2019s machine.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can use TCP for C2 communication.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can use port 4782 on the compromised host for TCP callbacks.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can communicate over a reverse proxy using SOCKS5.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) has a module for performing remote desktop access.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.(Citation: Volexity Patchwork June 2018)(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "A [QuasarRAT](https://attack.mitre.org/software/S0262) .dll file is digitally signed by a certificate from AirVPN.(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can gather system information from the victim\u2019s machine including the OS type.(Citation: GitHub QuasarRAT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can determine the country a victim host is located in.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string `Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0`.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can enumerate the username and account type.(Citation: CISA AR18-352A Quasar RAT December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can obtain passwords from FTP clients.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[QuasarRAT](https://attack.mitre.org/software/S0262) can perform webcam viewing.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by QuasarRAT", "color": "#66b1ff"}]}