{"description": "Enterprise techniques used by Aria-body, ATT&CK software S0456 (v1.2)", "name": "Aria-body (S0456)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to duplicate a token from ntprint.exe.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to execute a process using runas.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has used HTTP in C2 communications.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the titles of running windows on a compromised host.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1560", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has used ZIP to compress data gathered on a compromised host.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has established persistence via the Startup folder or Run Registry key.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1025", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to collect data from USB devices.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to decrypt the loader configuration and payload DLL.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to use a DGA for C2 communications.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to gather metadata from a file and to search for file and directory names.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to delete files and directories on compromised hosts.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to download additional payloads from C2.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to launch files using ShellExecute.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has used TCP in C2 communications.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has used an encrypted configuration file for its loader.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to enumerate loaded modules for a process.(Citation: CheckPoint Naikon May 2020).", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to use a reverse SOCKS proxy module.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to capture screenshots on compromised hosts.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the location, public IP address, and domain name on a compromised host.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to gather TCP and UDP table status listings.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Aria-body](https://attack.mitre.org/software/S0456) has the ability to identify the username on a compromised host.(Citation: CheckPoint Naikon May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Aria-body", "color": "#66b1ff"}]}