{"description": "Enterprise techniques used by KONNI, ATT&CK software S0356 (v2.1)", "name": "KONNI (S0356)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to \u201cAlwaysNotify\".(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.004", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`.(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used HTTP POST for C2.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has encrypted data and files prior to exfiltration.(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "A version of [KONNI](https://attack.mitre.org/software/S0356) has dropped a Windows shortcut into the Startup folder to establish persistence.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "A version of [KONNI](https://attack.mitre.org/software/S0356) drops a Windows shortcut on the victim\u2019s machine to establish persistence.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[KONNI](https://attack.mitre.org/software/S0356) had a feature to steal data from the clipboard.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[KONNI](https://attack.mitre.org/software/S0356) used PowerShell to download and execute a specific 64-bit version of the malware.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has executed malicious JavaScript code.(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has registered itself as a service using its export function.(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[KONNI](https://attack.mitre.org/software/S0356) can steal profiles (containing credential information) from Firefox, Chrome, and Opera.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used a custom base64 key to encode stolen data before exfiltration.(Citation: Medium KONNI Jan 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has stored collected information and discovered processes in a tmp file.(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used AES to encrypt C2 traffic.(Citation: Malwarebytes KONNI Evolves Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has modified ComSysApp service to load the malicious DLL payload.(Citation: Medium KONNI Jan 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used FTP to exfiltrate reconnaissance data out.(Citation: Medium KONNI Jan 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has sent data and files to its C2 server.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021)(Citation: Malwarebytes KONNI Evolves Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "A version of [KONNI](https://attack.mitre.org/software/S0356) searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[KONNI](https://attack.mitre.org/software/S0356) can delete files.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[KONNI](https://attack.mitre.org/software/S0356) can download files and execute them on the victim\u2019s machine.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has the capability to perform keylogging.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has pretended to be the xmlProv Network Provisioning service.(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has created a shortcut called \"Anti virus service.lnk\" in an apparent attempt to masquerade as a legitimate file.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has hardcoded API calls within its functions to use on the victim's machine.(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has been packed for obfuscation.(Citation: Malwarebytes KONNI Evolves Jan 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[KONNI](https://attack.mitre.org/software/S0356) is heavily obfuscated and includes encrypted configuration files.(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has been delivered via spearphishing campaigns through a malicious Word document.(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used the command cmd /c tasklist to get a snapshot of the current processes on the target machine.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[KONNI](https://attack.mitre.org/software/S0356) can take screenshots of the victim\u2019s machine.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used Rundll32 to execute its loader for privilege escalation purposes.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[KONNI](https://attack.mitre.org/software/S0356) can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim\u2019s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[KONNI](https://attack.mitre.org/software/S0356) can collect the IP address from the victim\u2019s machine.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has used net session on the victim's machine.(Citation: Malwarebytes Konni Aug 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[KONNI](https://attack.mitre.org/software/S0356) can collect the username from the victim\u2019s machine.(Citation: Talos Konni May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[KONNI](https://attack.mitre.org/software/S0356) has relied on a victim to enable malicious macros within an attachment delivered via email.(Citation: Malwarebytes Konni Aug 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by KONNI", "color": "#66b1ff"}]}