{"description": "Enterprise techniques used by Pony, ATT&CK software S0453 (v1.0)", "name": "Pony (S0453)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Pony](https://attack.mitre.org/software/S0453) has used the NetUserEnum function to enumerate local accounts.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Pony](https://attack.mitre.org/software/S0453) has sent collected information to the C2 via HTTP POST request.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[Pony](https://attack.mitre.org/software/S0453) has used a small dictionary of common passwords against a collected list of local accounts.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Pony](https://attack.mitre.org/software/S0453) has used batch scripts to delete itself after execution.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Pony](https://attack.mitre.org/software/S0453) has used scripts to delete itself after execution.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Pony](https://attack.mitre.org/software/S0453) can download additional files onto the infected system.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[Pony](https://attack.mitre.org/software/S0453) has used the Adobe Reader icon for the downloaded file to look more trustworthy.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Pony](https://attack.mitre.org/software/S0453) has used several Windows functions for various purposes.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[Pony](https://attack.mitre.org/software/S0453) attachments have been delivered via compressed archive files.(Citation: Malwarebytes Pony April 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[Pony](https://attack.mitre.org/software/S0453) obfuscates memory flow by adding junk instructions when executing to make analysis more difficult.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Pony](https://attack.mitre.org/software/S0453) has been delivered via spearphishing attachments.(Citation: Malwarebytes Pony April 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Pony](https://attack.mitre.org/software/S0453) has been delivered via spearphishing emails which contained malicious links.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Pony](https://attack.mitre.org/software/S0453) has collected the Service Pack, language, and region information to send to the C2.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Pony](https://attack.mitre.org/software/S0453) has attempted to lure targets into clicking links in spoofed emails from legitimate banks.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Pony](https://attack.mitre.org/software/S0453) has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).(Citation: Malwarebytes Pony April 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Pony](https://attack.mitre.org/software/S0453) has delayed execution using a built-in function to avoid detection and analysis.(Citation: Malwarebytes Pony April 2016)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Pony", "color": "#66b1ff"}]}