{"description": "Enterprise techniques used by FELIXROOT, ATT&CK software S0267 (v2.2)", "name": "FELIXROOT (S0267)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) uses HTTP and HTTPS to communicate with the C2 server.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) encrypts collected data with AES and Base64 and then sends it to the C2 server.(Citation: FireEye FELIXROOT July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) adds a shortcut file to the startup folder for persistence.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) creates a .LNK file for persistence.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) executes batch scripts on the victim\u2019s machine, and can launch a reverse shell for command execution.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) deletes the .LNK file from the startup directory as well as the dropper components.(Citation: FireEye FELIXROOT July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) downloads and uploads files to and from the victim\u2019s machine.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) deletes the Registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open.(Citation: FireEye FELIXROOT July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) encrypts strings in the backdoor using a custom XOR algorithm.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) collects a list of running processes.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) queries the Registry for specific keys for potential privilege escalation and proxy information. [FELIXROOT](https://attack.mitre.org/software/S0267) has also used WMI to query the Windows Registry.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) checks for installed security software like antivirus and firewall.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) uses Rundll32 for executing the dropper program.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) collects the victim\u2019s computer name, processor architecture, OS version, volume serial number, and system type.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) collects information about the network including the IP address and DHCP server.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) collects the username from the victim\u2019s machine.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) gathers the time zone information from the victim\u2019s machine.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[FELIXROOT](https://attack.mitre.org/software/S0267) uses WMI to query the Windows Registry.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FELIXROOT", "color": "#66b1ff"}]}