{"description": "Enterprise techniques used by Agent Tesla, ATT&CK software S0331 (v1.3)", "name": "Agent Tesla (S0331)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect account information from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used HTTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used SMTP for C2 communications.(Citation: Cofense Agent Tesla)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can encrypt data with 3DES before sending it over to a C2 server.(Citation: Talos Agent Tesla Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can add itself to the Registry as a startup program to establish persistence.(Citation: Fortinet Agent Tesla April 2018)(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to use form-grabbing to extract data from web data forms.(Citation: Bitdefender Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can steal data from the victim\u2019s clipboard.(Citation: Talos Agent Tesla Oct 2018)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to steal credentials from FTP clients and wireless profiles.(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can gather credentials from a number of browsers.(Citation: Bitdefender Agent Tesla April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has routines for exfiltration over SMTP, FTP, and HTTP.(Citation: Talos Agent Tesla Oct 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has created hidden folders.(Citation: SentinelLabs Agent Tesla Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used ProcessWindowStyle.Hidden to hide windows.(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the capability to kill any running analysis processes and AV software.(Citation: Fortinet Agent Tesla June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can download additional files for execution on the victim\u2019s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can log keystrokes on the victim\u2019s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can achieve persistence by modifying Registry key entries.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has had its code obfuscated in an apparent attempt to make analysis difficult.(Citation: Fortinet Agent Tesla April 2018) [Agent Tesla](https://attack.mitre.org/software/S0331) has used the Rijndael symmetric encryption algorithm to encrypt strings.(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "The primary delivered mechanism for [Agent Tesla](https://attack.mitre.org/software/S0331) is through email phishing messages.(Citation: Bitdefender Agent Tesla April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can list the current running processes on the system.(Citation: Fortinet Agent Tesla June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can inject into known, vulnerable binaries on targeted hosts.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331)  has achieved persistence via scheduled tasks.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can capture screenshots of the victim\u2019s desktop.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.009", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has dropped RegAsm.exe onto systems for performing malicious activity.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016.002", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect names and passwords of all Wi-Fi networks to which a device has previously connected.(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the username from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla April 2018)(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can collect the timestamp from the victim\u2019s machine.(Citation: DigiTrust Agent Tesla Jan 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from configuration or support files.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to extract credentials from the Registry.(Citation: SentinelLabs Agent Tesla Aug 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has been executed through malicious e-mail attachments (Citation: Bitdefender Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) can access the victim\u2019s webcam and record video.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Talos Agent Tesla Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "comment": " [Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to perform anti-sandboxing and anti-virtualization checks.(Citation: Malwarebytes Agent Tesla April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Agent Tesla](https://attack.mitre.org/software/S0331) has used wmi queries to gather information from the system.(Citation: Bitdefender Agent Tesla April 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Agent Tesla", "color": "#66b1ff"}]}