{"description": "Enterprise techniques used by MESSAGETAP, ATT&CK software S0443 (v1.0)", "name": "MESSAGETAP (S0443)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[MESSAGETAP](https://attack.mitre.org/software/S0443) has XOR-encrypted and stored contents of SMS messages that matched its target list. (Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[MESSAGETAP](https://attack.mitre.org/software/S0443) checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.(Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[MESSAGETAP](https://attack.mitre.org/software/S0443) stored targeted SMS messages that matched its target list in CSV files on the compromised system.(Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "After checking for the existence of two files, keyword_parm.txt and parm.txt, [MESSAGETAP](https://attack.mitre.org/software/S0443) XOR decodes and read the contents of the files. (Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[MESSAGETAP](https://attack.mitre.org/software/S0443) checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.(Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "Once loaded into memory, [MESSAGETAP](https://attack.mitre.org/software/S0443) deletes the keyword_parm.txt and parm.txt configuration files from disk. (Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1040", "comment": "[MESSAGETAP](https://attack.mitre.org/software/S0443) uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata.  (Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "After loading the keyword and phone data files, [MESSAGETAP](https://attack.mitre.org/software/S0443) begins monitoring all network connections to and from the victim server. (Citation: FireEye MESSAGETAP October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by MESSAGETAP", "color": "#66b1ff"}]}