{"description": "Enterprise techniques used by Micropsia, ATT&CK software S0339 (v1.2)", "name": "Micropsia (S0339)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) uses HTTP and HTTPS for C2 network communications.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) creates a RAR archive based on collected files on the victim's machine.(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) can perform microphone recording.(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt).(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) creates a shortcut to maintain persistence.(Citation: Talos Micropsia June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) creates a command-line shell using cmd.exe.(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) can download and execute an executable from the C2 server.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) has keylogging capabilities.(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) obfuscates the configuration with a custom Base64 and XOR.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) searches for anti-virus software and firewall products installed on the victim\u2019s machine using WMI.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) gathers the hostname and OS version from the victim\u2019s machine.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) collects the username from the victim\u2019s machine.(Citation: Talos Micropsia June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Micropsia](https://attack.mitre.org/software/S0339) searches for anti-virus software and firewall products installed on the victim\u2019s machine using WMI.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Micropsia", "color": "#66b1ff"}]}