{"description": "Enterprise techniques used by TrickBot, ATT&CK software S0266 (v2.2)", "name": "TrickBot (S0266)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) collects the users of the system.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) collects email addresses from Outlook.(Citation: Trend Micro Trickbot Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.(Citation: S2 Grupo TrickBot June 2017)(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) establishes persistence in the Startup folder.(Citation: ESET Trickbot Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: Microsoft Totbrick Oct 2017)(Citation: Trend Micro Trickbot Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.004", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses brute-force attack against RDP with rdpscanDll module.(Citation: ESET Trickbot Oct 2020)(Citation: Bitdefender Trickbot March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. \n (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has used macros in Excel documents to download and deploy the malware on the user\u2019s machine.(Citation: TrendMicro Trickbot Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) establishes persistence by creating an autostart service that allows it to run whenever the machine boots.(Citation: Trend Micro Trickbot Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using [esentutl](https://attack.mitre.org/software/S0404).(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can steal passwords from the KeePass open source password manager.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can Base64-encode C2 commands.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) collects local files and information from the victim\u2019s local machine.(Citation: S2 Grupo TrickBot June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) decodes the configuration data and modules.(Citation: Fidelis TrickBot Oct 2016)(Citation: Cyberreason Anchor December 2019)(Citation: Joe Sec Trickbot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1482", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can gather information about domain trusts by utilizing [Nltest](https://attack.mitre.org/software/S0359).(Citation: Fortinet TrickBot)(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses a custom crypter leveraging Microsoft\u2019s CryptoAPI to encrypt C2 traffic.(Citation: Fidelis TrickBot Oct 2016)Newer versions of [TrickBot](https://attack.mitre.org/software/S0266) have been known to use `bcrypt` to encrypt and digitally sign responses to their C2 server. (Citation: Bitdefender Trickbot C2 infra Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can send information about the compromised host and upload data to a hardcoded C2 server.(Citation: Cyberreason Anchor December 2019)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.(Citation: ESET Trickbot Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1495", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) module \"Trickboot\" can write or erase the UEFI/BIOS firmware of a compromised device.(Citation: Eclypsium Trickboot December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "TrickBot has used a hidden VNC (hVNC) window to monitor the victim and collect information stealthily.(Citation: Emotet Deploys TrickBot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can disable Windows Defender.(Citation: Trend Micro Trickbot Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) downloads several additional files and saves them to the victim's machine.(Citation: Trend Micro Totbrick Oct 2016)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has the ability to capture RDP credentials by capturing the CredEnumerateA API(Citation: TrendMicro Trickbot Feb 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) used COM to setup scheduled task for persistence.(Citation: ESET Trickbot Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "The [TrickBot](https://attack.mitre.org/software/S0266) downloader has used an icon to appear as a Microsoft Word document.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can modify registry entries.(Citation: Trend Micro Trickbot Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses the Windows API call, CreateProcessW(), to manage execution flow.(Citation: S2 Grupo TrickBot June 2017) [TrickBot](https://attack.mitre.org/software/S0266) has also used Nt* API functions to perform [Process Injection](https://attack.mitre.org/techniques/T1055).(Citation: Joe Sec Trickbot)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API.(Citation: ESET Trickbot Oct 2020)(Citation: Bitdefender Trickbot March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "Some [TrickBot](https://attack.mitre.org/software/S0266) samples have used HTTP over ports 447 and 8082 for C2.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Trend Micro Totbrick Oct 2016) Newer versions of [TrickBot](https://attack.mitre.org/software/S0266) have been known to use a custom communication protocol which sends the data unencrypted over port 443. (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses non-descriptive names to hide functionality.(Citation: S2 Grupo TrickBot June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) leverages a custom packer to obfuscate its functionality.(Citation: S2 Grupo TrickBot June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.(Citation: S2 Grupo TrickBot June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can identify the groups the user on a compromised host belongs to.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has used an email with an Excel sheet containing a malicious macro to deploy the malware(Citation: TrendMicro Trickbot Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has been delivered via malicious links in phishing e-mails.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "showSubtechniques": true}, {"techniqueID": "T1542.003", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can implant malicious code into a compromised device's firmware.(Citation: Eclypsium Trickboot December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses module networkDll for process list discovery.(Citation: ESET Trickbot Oct 2020)(Citation: Bitdefender Trickbot March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has used Nt* [Native API](https://attack.mitre.org/techniques/T1106) functions to inject code into legitimate processes such as wermgr.exe.(Citation: Joe Sec Trickbot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) injects into the svchost.exe process.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016)(Citation: Microsoft Totbrick Oct 2017)(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has been known to reach a command and control server via one of nine proxy IP addresses. (Citation: Bitdefender Trickbot C2 infra Nov 2020) (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) uses vncDll module to remote control the victim machine.(Citation: ESET Trickbot Oct 2020)(Citation: Bitdefender Trickbot March 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network (Citation: Trickbot VNC module July 2021)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can enumerate computers and network devices.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) creates a scheduled task on the system that provides persistence.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016)(Citation: Microsoft Totbrick Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has come with a signed downloader component.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim\u2019s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Cyberreason Anchor December 2019)(Citation: Eclypsium Trickboot December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) obtains the IP address, location, and other relevant network information from the victim\u2019s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can identify the user and groups the user belongs to on a compromised host.(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) collects a list of install programs and services on the system\u2019s machine.(Citation: S2 Grupo TrickBot June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019) Additionally, it searches for the \".vnc.lnk\" affix to steal VNC credentials.(Citation: TrendMicro Trickbot Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has retrieved PuTTY credentials by querying the Software\\SimonTatham\\Putty\\Sessions registry key (Citation: TrendMicro Trickbot Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has attempted to get users to launch malicious documents to deliver its payload. (Citation: TrendMicro Trickbot Feb 2019)(Citation: Cyberreason Anchor December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[TrickBot](https://attack.mitre.org/software/S0266) has used printf and file I/O loops to delay process execution as part of API hammering.(Citation: Joe Sec Trickbot)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TrickBot", "color": "#66b1ff"}]}