{"description": "Enterprise techniques used by njRAT, ATT&CK software S0385 (v1.6)", "name": "njRAT (S0385)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has used HTTP for C2 communications.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[njRAT](https://attack.mitre.org/software/S0385) gathers information about opened windows during the initial infection.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\ and dropped a shortcut in %STARTUP%.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has executed PowerShell commands via auto-run registry key persistence.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can launch a command shell interface for executing commands.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has a module that steals passwords saved in victim web browsers.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[njRAT](https://attack.mitre.org/software/S0385) uses Base64 encoding for C2 traffic.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can collect data from a local system.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.001", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has used a fast flux DNS for C2 IP resolution.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has used HTTP to receive stolen information from the infected machine.(Citation: Trend Micro njRAT 2018)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can browse file systems using a file manager module.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has modified the Windows firewall to allow itself to communicate through the firewall.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[njRAT](https://attack.mitre.org/software/S0385) is capable of deleting files.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[njRAT](https://attack.mitre.org/software/S0385) is capable of manipulating and deleting registry keys, including those used for persistence.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can download files to the victim\u2019s machine.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[njRAT](https://attack.mitre.org/software/S0385) is capable of logging keystrokes.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can create, delete, or modify a specified Registry key or value.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has used the ShellExecute() function within a script.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has used port 1177 for HTTP C2 communications.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.004", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has used AutoIt to compile the payload and main script into a single executable after delivery.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has included a base64 encoded executable.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[njRAT](https://attack.mitre.org/software/S0385) will attempt to detect if the victim system has a camera during the initial infection. [njRAT](https://attack.mitre.org/software/S0385) can also detect any removable drives connected to the system.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can search a list of running processes for Tr.exe.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can read specific registry values.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[njRAT](https://attack.mitre.org/software/S0385) has a module for performing remote desktop access.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can identify remote hosts on connected networks.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can be configured to spread via removable drives.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can capture screenshots of the victim\u2019s machines.(Citation: Trend Micro njRAT 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[njRAT](https://attack.mitre.org/software/S0385) enumerates the victim operating system and computer name during the initial infection.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[njRAT](https://attack.mitre.org/software/S0385) enumerates the current user during the initial infection.(Citation: Fidelis njRAT June 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[njRAT](https://attack.mitre.org/software/S0385) can access the victim's webcam.(Citation: Fidelis njRAT June 2013)(Citation: Citizen Lab Group5)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by njRAT", "color": "#66b1ff"}]}