{"description": "Enterprise techniques used by Dridex, ATT&CK software S0384 (v2.1)", "name": "Dridex (S0384)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Dridex](https://attack.mitre.org/software/S0384) has used POST requests and HTTPS for C2 communications.(Citation: Kaspersky Dridex May 2017)(Citation: Checkpoint Dridex Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[Dridex](https://attack.mitre.org/software/S0384) can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.(Citation: Dell Dridex Oct 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Dridex](https://attack.mitre.org/software/S0384) has encrypted traffic with RC4.(Citation: Kaspersky Dridex May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Dridex](https://attack.mitre.org/software/S0384) has encrypted traffic with RSA.(Citation: Kaspersky Dridex May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Dridex](https://attack.mitre.org/software/S0384) can abuse legitimate Windows executables to side-load malicious DLL files.(Citation: Red Canary Dridex Threat Report 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Dridex](https://attack.mitre.org/software/S0384) has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.(Citation: Checkpoint Dridex Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Dridex](https://attack.mitre.org/software/S0384)'s strings are obfuscated using RC4.(Citation: Checkpoint Dridex Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[Dridex](https://attack.mitre.org/software/S0384) contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.(Citation: Dell Dridex Oct 2015)(Citation: Checkpoint Dridex Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Dridex](https://attack.mitre.org/software/S0384) can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Checkpoint Dridex Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "comment": "[Dridex](https://attack.mitre.org/software/S0384) contains a module for VNC.(Citation: Dell Dridex Oct 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Dridex](https://attack.mitre.org/software/S0384) can maintain persistence via the creation of scheduled tasks within system directories such as `windows\\system32\\`, `windows\\syswow64,` `winnt\\system32`, and `winnt\\syswow64`.(Citation: Red Canary Dridex Threat Report 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[Dridex](https://attack.mitre.org/software/S0384) has collected a list of installed software on the system.(Citation: Checkpoint Dridex Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Dridex](https://attack.mitre.org/software/S0384) can use `regsvr32.exe` to initiate malicious code.(Citation: Red Canary Dridex Threat Report 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Dridex](https://attack.mitre.org/software/S0384) has collected the computer name and OS architecture information from the system.(Citation: Checkpoint Dridex Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Dridex](https://attack.mitre.org/software/S0384) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Checkpoint Dridex Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Dridex", "color": "#66b1ff"}]}