{"description": "Enterprise techniques used by Lokibot, ATT&CK software S0447 (v2.0)", "name": "Lokibot (S0447)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "\n[Lokibot](https://attack.mitre.org/software/S0447) has utilized multiple techniques to bypass UAC.(Citation: Talos Lokibot Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has used HTTP for C2 communications.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has used PowerShell commands embedded inside batch scripts.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has used cmd /c commands embedded within batch scripts.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has used VBS scripts and XLS macros for execution.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients.(Citation: Infoblox Lokibot January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.(Citation: Infoblox Lokibot January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.(Citation: Talos Lokibot Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.(Citation: FSecure Lokibot November 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) can search for specific files on an infected host.(Citation: Talos Lokibot Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to copy itself to a hidden file and directory.(Citation: Infoblox Lokibot January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) will delete its dropped files after bypassing UAC.(Citation: Talos Lokibot Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) downloaded several staged items onto the victim's machine.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to capture input on the compromised host via keylogging.(Citation: FSecure Lokibot November 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has modified the Registry as part of its UAC bypass process.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.(Citation: Talos Lokibot Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has obfuscated strings with base64 encoding.(Citation: Infoblox Lokibot January 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has used several packing methods for obfuscation.(Citation: Infoblox Lokibot January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) is delivered via a malicious XLS attachment contained within a spearhpishing email.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has used process hollowing to inject itself into legitimate Windows process.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1620", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has reflectively loaded the decoded DLL into memory.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "comment": "[Lokibot](https://attack.mitre.org/software/S0447)'s second stage DLL has set a timer using \u201ctimeSetEvent\u201d to schedule its next execution.(Citation: Talos Lokibot Jan 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) embedded the commands schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I inside a batch script.(Citation: Talos Lokibot Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to discover the computer name and Windows product name/version.(Citation: FSecure Lokibot November 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to discover the domain name of the infected host.(Citation: FSecure Lokibot November 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has the ability to discover the username on the infected host.(Citation: FSecure Lokibot November 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has tricked recipients into enabling malicious macros by getting victims to click \"enable content\" in email attachments.(Citation: TrendMicro Msiexec Feb 2018)(Citation: Talos Lokibot Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Lokibot](https://attack.mitre.org/software/S0447) has performed a time-based anti-debug check before downloading its third stage.(Citation: Talos Lokibot Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Lokibot", "color": "#66b1ff"}]}