{"description": "Enterprise techniques used by UPPERCUT, ATT&CK software S0275 (v1.1)", "name": "UPPERCUT (S0275)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has used HTTP for C2, including sending error codes in Cookie headers.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) uses cmd.exe to execute commands on the victim\u2019s machine.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "Some versions of [UPPERCUT](https://attack.mitre.org/software/S0275) have used the hard-coded string \u201cthis is the encrypt key\u201d for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to gather the victim's current directory.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) can download and upload files to and from the victim\u2019s machine.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) can capture desktop screenshots in the PNG format and send them to the C2 server.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to gather the system\u2019s hostname and OS version.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to gather the victim's proxy information.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to collect the current logged on user\u2019s username from a machine.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[UPPERCUT](https://attack.mitre.org/software/S0275) has the capability to obtain the time zone information and current timestamp of the victim\u2019s machine.(Citation: FireEye APT10 Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by UPPERCUT", "color": "#66b1ff"}]}