{"description": "Enterprise techniques used by Azorult, ATT&CK software S0344 (v1.3)", "name": "Azorult (S0344)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can steal credentials from the victim's browser.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Azorult](https://attack.mitre.org/software/S0344) uses an XOR key to decrypt content and uses Base64 to decode the C2 address.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can encrypt C2 traffic using XOR.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can recursively search for files in folders and collects files from the desktop with certain extensions.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can delete files from victim machines.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can download and execute additional files. [Azorult](https://attack.mitre.org/software/S0344) has also downloaded a ransomware payload called Hermes.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can collect a list of running processes by calling CreateToolhelp32Snapshot.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can check for installed software on the system under the Registry key Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can capture screenshots of the victim\u2019s machines.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can collect host IP information from the victim\u2019s machine.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can collect the username from the victim\u2019s machine.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can collect the time zone information from the system.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Azorult](https://attack.mitre.org/software/S0344) can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.(Citation: Unit42 Azorult Nov 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Azorult", "color": "#66b1ff"}]}