{"description": "Enterprise techniques used by GreyEnergy, ATT&CK software S0342 (v1.2)", "name": "GreyEnergy (S0342)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) uses HTTP and HTTPS for C2 communications.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) uses cmd.exe to execute itself in-memory.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) encrypts communications using AES256.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) encrypts communications using RSA-2048.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) can download additional modules and payloads.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) has a module to harvest pressed keystrokes.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) modifies conditions in the Registry and adds keys.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) is packed for obfuscation.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) encrypts its configuration files with AES-256 and also encrypts its strings.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) has a module for [Mimikatz](https://attack.mitre.org/software/S0002) to collect Windows credentials from the victim\u2019s machine.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) has a module to inject a PE binary into a remote process.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) has used [Tor](https://attack.mitre.org/software/S0183) relays for Command and Control servers.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) digitally signs the malware with a code-signing certificate.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\\SYSTEM).(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1007", "comment": "[GreyEnergy](https://attack.mitre.org/software/S0342) enumerates all Windows services.(Citation: ESET GreyEnergy Oct 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by GreyEnergy", "color": "#66b1ff"}]}