{"description": "Enterprise techniques used by Calisto, ATT&CK software S0274 (v1.1)", "name": "Calisto (S0274)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1098", "comment": "[Calisto](https://attack.mitre.org/software/S0274) adds permissions and remote logins to all users.(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Calisto](https://attack.mitre.org/software/S0274) uses the zip -r command to compress the data collected on the local system.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Calisto](https://attack.mitre.org/software/S0274) collects information on bookmarks from Google Chrome.(Citation: Securelist Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[Calisto](https://attack.mitre.org/software/S0274) has the capability to add its own account to the victim's machine.(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[Calisto](https://attack.mitre.org/software/S0274) adds a .plist file to the /Library/LaunchAgents folder to maintain persistence.(Citation: Securelist Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.001", "comment": "[Calisto](https://attack.mitre.org/software/S0274) collects Keychain storage data and copies those passwords/tokens to a file.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Calisto](https://attack.mitre.org/software/S0274) can collect data from user directories.(Citation: Securelist Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Calisto](https://attack.mitre.org/software/S0274) uses a hidden directory named .calisto to store data from the victim\u2019s machine before exfiltration.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Calisto](https://attack.mitre.org/software/S0274) uses a hidden directory named .calisto to store data from the victim\u2019s machine before exfiltration.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Calisto](https://attack.mitre.org/software/S0274) has the capability to use rm -rf to remove folders and files from the victim's machine.(Citation: Securelist Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Calisto](https://attack.mitre.org/software/S0274) has the capability to upload and download files to the victim's machine.(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[Calisto](https://attack.mitre.org/software/S0274) presents an input prompt asking for the user's login and password.(Citation: Symantec Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Calisto](https://attack.mitre.org/software/S0274)'s installation file is an unsigned DMG image under the guise of Intego\u2019s security solution for mac.(Citation: Securelist Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Calisto](https://attack.mitre.org/software/S0274) runs the ifconfig command to obtain the IP address from the victim\u2019s machine.(Citation: Securelist Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.001", "comment": "[Calisto](https://attack.mitre.org/software/S0274) uses launchctl to enable screen sharing on the victim\u2019s machine.(Citation: Securelist Calisto July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Calisto", "color": "#66b1ff"}]}