{"description": "Enterprise techniques used by More_eggs, ATT&CK software S0284 (v3.1)", "name": "More_eggs (S0284)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) uses HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has used cmd.exe for execution.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: ESET EvilNum July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has used basE91 encoding, along with encryption, for C2 communication.(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) will decode malware components that are then dropped to the system.(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has used an RC4-based encryption method for its C2 communications.(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) can remove itself from a system.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) can download and launch additional payloads.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[More_eggs](https://attack.mitre.org/software/S0284)'s payload has been encrypted with a key that has the hostname and processor family information appended to the end.(Citation: ESET EvilNum July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) can obtain information on installed anti-malware programs.(Citation: Talos Cobalt Group July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has used regsvr32.exe to execute the malicious DLL.(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has the capability to gather the OS version and computer name.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has the capability to gather the IP address from the victim's machine.(Citation: Talos Cobalt Group July 2018)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has used HTTP GET requests to check internet connectivity.(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[More_eggs](https://attack.mitre.org/software/S0284) has the capability to gather the username from the victim's machine.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by More_eggs", "color": "#66b1ff"}]}