{"description": "Enterprise techniques used by Keydnap, ATT&CK software S0276 (v1.2)", "name": "Keydnap (S0276)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.001", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) adds the setuid flag to a binary so it can easily elevate in the future.(Citation: OSX Keydnap malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) uses HTTPS for command and control.(Citation: synack 2016 review)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) uses Python for scripting to execute additional commands.(Citation: synack 2016 review)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) uses a Launch Agent to persist.(Citation: synack 2016 review)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.002", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) uses the keychaindump project to read securityd memory.(Citation: synack 2016 review)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.009", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system.(Citation: OSX Keydnap malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) prompts the users for credentials.(Citation: synack 2016 review)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.006", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.(Citation: synack 2016 review)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Keydnap](https://attack.mitre.org/software/S0276) uses a copy of tor2web proxy for HTTPS communications.(Citation: synack 2016 review)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Keydnap", "color": "#66b1ff"}]}