{"description": "Enterprise techniques used by PoetRAT, ATT&CK software S0428 (v2.3)", "name": "PoetRAT (S0428)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used HTTP and HTTPs for C2 communications.(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used FTP for C2 communications.(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to compress files with zip.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) used file system monitoring to track modification and enable automatic exfiltration.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has added a registry key in the  hive for persistence.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has called cmd through a Word document macro.(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used Word documents with VBScripts to execute malicious activities.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.011", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has executed a Lua script through a Lua interpreter for Windows.(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a Python tool named Browdec.exe to steal browser credentials.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used LZMA and base64 libraries to decode obfuscated scripts.(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) used TLS to encrypt command and control (C2) communications.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a .NET tool named dog.exe to exiltrate information over an e-mail account.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used [ftp](https://attack.mitre.org/software/S0095) for exfiltration.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has exfiltrated data over the C2 channel.(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to list files upon receiving the ls command from C2.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to hide and unhide files.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to overwrite scripts and delete itself if a sandbox environment is detected.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a Python tool named klog.exe for keylogging.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) was delivered with documents using DDE to execute malicious code.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has made registry modifications to alter its behavior upon execution.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) used TLS to encrypt communications over port 143(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a custom encryption scheme for communication between scripts.(Citation: Talos PoetRAT April 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has `pyminifier` to obfuscate scripts.(Citation: Talos PoetRAT October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) used voStro.exe, a compiled pypykatz (Python version of [Mimikatz](https://attack.mitre.org/software/S0002)), to steal credentials.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) was distributed via malicious Word documents.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to list all running processes.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) used Nmap for remote system discovery.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to take screen captures.(Citation: Talos PoetRAT April 2020)(Citation: Dragos Threat Report 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has the ability to gather information about the compromised host.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used spearphishing attachments to infect victims.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) has used a Python tool named Bewmac to record the webcam on compromised hosts.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[PoetRAT](https://attack.mitre.org/software/S0428) checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of \"License.txt\" and exiting.(Citation: Talos PoetRAT April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PoetRAT", "color": "#66b1ff"}]}