{"description": "Enterprise techniques used by NOKKI, ATT&CK software S0353 (v1.1)", "name": "NOKKI (S0353)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) has used HTTP for C2 communications.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) has used FTP for C2 communications.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) has established persistence by writing the payload to the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) can collect data from the victim and stage it in LOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) uses a unique, custom de-obfuscation technique.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) can delete files to cover tracks.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) has downloaded a remote module for execution.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) is written to %LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) uses Base64 encoding for strings.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) has used rundll32 for execution.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) can gather information on drives and the operating system on the victim\u2019s machine.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) can gather information on the victim IP address.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) can collect the username from the victim\u2019s machine.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[NOKKI](https://attack.mitre.org/software/S0353) can collect the current timestamp of the victim's machine.(Citation: Unit 42 NOKKI Sept 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by NOKKI", "color": "#66b1ff"}]}