{"description": "Enterprise techniques used by HotCroissant, ATT&CK software S0431 (v1.1)", "name": "HotCroissant (S0431)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1010", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to list the names of all open windows on the infected host.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) can remotely open applications on the infected host with the ShellExecuteA command.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has compressed network communications and encrypted them with a custom stream cipher.(Citation: Carbon Black HotCroissant April 2020)(Citation: US-CERT HOTCROISSANT February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to download files from the infected host to the command and control (C2) server.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to retrieve a list of files in a given directory as well as drives and drive types.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to hide the window for operations performed on a given file.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to clean up installed files, delete files, and delete itself from the victim\u2019s machine.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to upload a file from the command and control (C2) server to the victim machine.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.(Citation: US-CERT HOTCROISSANT February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has used the open source UPX executable packer.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has encrypted strings with single-byte XOR and base64 encoded RC4.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to list running processes on the infected host.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has attempted to install a scheduled task named \u201cJava Maintenance64\u201d on startup to establish persistence.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to do real time screen viewing on an infected host.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to stop services on the infected host.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) can retrieve a list of applications from the SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths registry key.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.(Citation: US-CERT HOTCROISSANT February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to identify the IP address of the compromised machine.(Citation: US-CERT HOTCROISSANT February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to collect the username on the infected host.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[HotCroissant](https://attack.mitre.org/software/S0431) has the ability to retrieve a list of services on the infected host.(Citation: Carbon Black HotCroissant April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HotCroissant", "color": "#66b1ff"}]}