{"description": "Enterprise techniques used by Ramsay, ATT&CK software S0458 (v1.1)", "name": "Ramsay (S0458)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can use [UACMe](https://attack.mitre.org/software/S0116) for privilege escalation.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has used HTTP for C2.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can compress and archive collected files using WinRAR.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.(Citation: Eset Ramsay May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has created Registry Run keys to establish persistence.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has included embedded Visual Basic scripts in malicious documents.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has used base64 to encode its C2 traffic.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can collect Microsoft Word documents from the target's file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1039", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can collect data from network drives and stage it for exfiltration.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can collect data from removable media and stage it for exfiltration.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can stage data prior to exfiltration in %APPDATA%\\Microsoft\\UserSetting and %APPDATA%\\Microsoft\\UserSetting\\MediaCache.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can extract its agent from the body of a malicious document.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.010", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can insert itself into the address space of other applications using the AppInit DLL Registry key.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1203", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can collect directory and file lists.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can use the Windows COM API to schedule tasks and maintain persistence.(Citation: Eset Ramsay May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has been delivered using OLE objects in malicious documents.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has masqueraded as a JPG image file.(Citation: Eset Ramsay May 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has masqueraded as a 7zip installer.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. [Ramsay](https://attack.mitre.org/software/S0458) can execute its embedded components via CreateProcessA and ShellExecute.(Citation: Eset Ramsay May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can scan for systems that are vulnerable to the EternalBlue exploit.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can scan for network drives which may contain documents for collection.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has base64-encoded its portable executable and hidden itself under a JPG header. [Ramsay](https://attack.mitre.org/software/S0458) can also embed information within document footers.(Citation: Eset Ramsay May 2020)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has PE data embedded within JPEG files contained within Word documents.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can scan for removable media which may contain documents for collection.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has been distributed through spearphishing emails with malicious attachments.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can gather a list of running processes by using [Tasklist](https://attack.mitre.org/software/S0057).(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can use ImprovedReflectiveDLLInjection to deploy components.(Citation: Eset Ramsay May 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can spread itself by infecting other portable executable files on removable drives.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1014", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has included a rootkit to evade defenses.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can schedule tasks via the Windows COM API to maintain persistence.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can take screenshots every 30 seconds as well as when an external removable storage device is connected.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can use [ipconfig](https://attack.mitre.org/software/S0100) and [Arp](https://attack.mitre.org/software/S0099) to collect network configuration information, including routing information and ARP tables.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can use netstat to enumerate network connections.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1080", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) can spread itself by infecting other portable executable files on networks shared drives.(Citation: Eset Ramsay May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Ramsay](https://attack.mitre.org/software/S0458) has been executed through malicious e-mail attachments.(Citation: Antiy CERT Ramsay April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ramsay", "color": "#66b1ff"}]}