{"description": "Enterprise techniques used by TYPEFRAME, ATT&CK software S0263 (v1.3)", "name": "TYPEFRAME (S0263)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can uninstall malware components using a batch script.(Citation: US-CERT TYPEFRAME June 2018) [TYPEFRAME](https://attack.mitre.org/software/S0263) can execute commands using a shell.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) has used a malicious Word document for delivery with VBA macros for execution.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) variants can add malicious DLL modules as new services.[TYPEFRAME](https://attack.mitre.org/software/S0263) can also delete services from the victim\u2019s machine.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "One [TYPEFRAME](https://attack.mitre.org/software/S0263) variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value \"0x35\".(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can search directories for files on the victim\u2019s machine.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can open the Windows Firewall on the victim\u2019s machine to allow incoming connections.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can delete files off the system.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can upload and download files to the victim\u2019s machine.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) has used ports 443, 8080, and 8443 with a FakeTLS method.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can install and store encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "APIs and strings in some [TYPEFRAME](https://attack.mitre.org/software/S0263) variants are RC4 encrypted. Another variant is encoded with XOR.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "A [TYPEFRAME](https://attack.mitre.org/software/S0263) variant can force the compromised system to function as a proxy server.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[TYPEFRAME](https://attack.mitre.org/software/S0263) can gather the disk volume information.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "A Word document delivering [TYPEFRAME](https://attack.mitre.org/software/S0263) prompts the user to enable macro execution.(Citation: US-CERT TYPEFRAME June 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TYPEFRAME", "color": "#66b1ff"}]}