{"description": "Enterprise techniques used by KeyBoy, ATT&CK software S0387 (v1.3)", "name": "KeyBoy (S0387)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) issues the command reg add \u201cHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\u201d to achieve persistence.(Citation: PWC KeyBoys Feb 2017) (Citation: CitizenLab KeyBoy Nov 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) uses PowerShell commands to download and execute payloads.(Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) can launch interactive shells for communicating with the victim machine.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) uses VBS scripts for installing files and performing execution.(Citation: CitizenLab KeyBoy Nov 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) uses Python scripts for installing files and performing execution.(Citation: CitizenLab KeyBoy Nov 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) installs a service pointing to a malicious DLL dropped to disk.(Citation: Rapid7 KeyBoy Jun 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) attempts to collect passwords from browsers.(Citation: Rapid7 KeyBoy Jun 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) uses custom SSL libraries to impersonate SSL in C2 traffic.(Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) has a command to launch a file browser or explorer on the system.(Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) uses -w Hidden to conceal a [PowerShell](https://attack.mitre.org/techniques/T1059/001) window that downloads a payload. (Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) time-stomped its DLL in order to evade detection.(Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) has a download and upload functionality.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) installs a keylogger for intercepting credentials and keystrokes.(Citation: Rapid7 KeyBoy Jun 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.(Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "In one version of [KeyBoy](https://attack.mitre.org/software/S0387), string obfuscation routines were used to hide many of the critical values referenced in the malware.(Citation: CitizenLab KeyBoy Nov 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) has a command to perform screen grabbing.(Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) can gather extended system information, such as information about the operating system, disks, and memory.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[KeyBoy](https://attack.mitre.org/software/S0387) can determine the public or WAN IP address for the system.(Citation: PWC KeyBoys Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by KeyBoy", "color": "#66b1ff"}]}