{"description": "Enterprise techniques used by RogueRobin, ATT&CK software S0270 (v2.2)", "name": "RogueRobin (S0270)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) uses a command prompt to run a PowerShell script from Excel.(Citation: Unit 42 DarkHydrus July 2018) To assist in establishing persistence, [RogueRobin](https://attack.mitre.org/software/S0270) creates %APPDATA%\\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File \u201c%APPDATA%\\OneDrive.ps1\u201d.(Citation: Unit42 DarkHydrus Jan 2019)(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) uses Windows Script Components.(Citation: Unit42 DarkHydrus Jan 2019)(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) base64 encodes strings that are sent to the C2 over its DNS tunnel.(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) decodes an embedded executable using base64 and decompresses it.(Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) can save a new file to the system from the C2 server.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "The PowerShell script with the [RogueRobin](https://attack.mitre.org/software/S0270) payload was obfuscated using the COMPRESS technique in `Invoke-Obfuscation`.(Citation: Unit 42 DarkHydrus July 2018)(Citation: GitHub Invoke-Obfuscation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) has a command named $screenshot that may be responsible for taking screenshots of the victim machine.(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) enumerates running processes to search for Wireshark and Windows Sysinternals suite.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) uses regsvr32.exe to run a .sct file for execution.(Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) gathers the IP address and domain from the victim\u2019s machine.(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) collects the victim\u2019s username and whether that user is an admin.(Citation: Unit 42 DarkHydrus July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) has used Google Drive as a Command and Control channel. (Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[RogueRobin](https://attack.mitre.org/software/S0270) uses various WMI queries to check if the sample is running in a sandbox.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RogueRobin", "color": "#66b1ff"}]}