{"description": "Enterprise techniques used by HAWKBALL, ATT&CK software S0391 (v1.2)", "name": "HAWKBALL (S0391)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has used HTTP to communicate with a single hard-coded C2 server.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has encrypted data with XOR before sending it over the C2 channel.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has sent system information and files over the C2 channel.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload.(Citation: FireEye HAWKBALL Jun 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has the ability to delete files.(Citation: FireEye HAWKBALL Jun 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has used an OLE object that uses Equation Editor to drop the embedded shellcode.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) has encrypted the payload with an XOR-based algorithm.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) can collect the OS version, architecture information, and computer name.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[HAWKBALL](https://attack.mitre.org/software/S0391) can collect the user name of the system.(Citation: FireEye HAWKBALL Jun 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HAWKBALL", "color": "#66b1ff"}]}