{"description": "Enterprise techniques used by Remexi, ATT&CK software S0375 (v1.2)", "name": "Remexi (S0375)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Remexi](https://attack.mitre.org/software/S0375) uses [BITSAdmin](https://attack.mitre.org/software/S0190) to communicate with the C2 server over HTTP.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Remexi](https://attack.mitre.org/software/S0375) has a command to capture active windows on the machine and retrieve window titles.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "comment": "[Remexi](https://attack.mitre.org/software/S0375) encrypts and adds all gathered browser data into files for upload to C2.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Remexi](https://attack.mitre.org/software/S0375) utilizes Run Registry keys in the HKLM hive as a persistence mechanism.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": "[Remexi](https://attack.mitre.org/software/S0375) achieves persistence using Userinit by adding the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[Remexi](https://attack.mitre.org/software/S0375) collects text from the clipboard.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Remexi](https://attack.mitre.org/software/S0375) silently executes received commands with cmd.exe.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Remexi](https://attack.mitre.org/software/S0375) uses AutoIt and VBS scripts throughout its execution process.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Remexi](https://attack.mitre.org/software/S0375) decrypts the configuration data using XOR with 25-character keys.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Remexi](https://attack.mitre.org/software/S0375) performs exfiltration over [BITSAdmin](https://attack.mitre.org/software/S0190), which is also used for the C2 channel.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Remexi](https://attack.mitre.org/software/S0375) searches for files on the system. (Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Remexi](https://attack.mitre.org/software/S0375) gathers and exfiltrates keystrokes from the machine.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Remexi](https://attack.mitre.org/software/S0375) obfuscates its configuration data with XOR.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Remexi](https://attack.mitre.org/software/S0375) utilizes scheduled tasks as a persistence mechanism.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Remexi](https://attack.mitre.org/software/S0375) takes screenshots of windows of interest.(Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Remexi](https://attack.mitre.org/software/S0375) executes received commands with wmic.exe (for WMI commands). (Citation: Securelist Remexi Jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Remexi", "color": "#66b1ff"}]}