{"description": "Enterprise techniques used by SDBbot, ATT&CK software S0461 (v2.1)", "name": "SDBbot (S0461)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. (Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to use the command shell to execute commands on a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to access the file system on a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to decrypt and decompress its payload to enable code execution.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.011", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.012", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has sent collected data from a compromised host to its C2 servers.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to get directory listings or drive information on a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to clean up and remove data structures from a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to delete files from a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to download a DLL from C2 to a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to communicate with C2 with TCP over port 443.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.(Citation: Proofpoint TA505 October 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has used a packed installer file.(Citation: IBM TA505 April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) can enumerate a list of running processes on a compromised machine.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to inject a downloaded DLL into a newly created rundll32.exe process.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to use port forwarding to establish a proxy between a target host and C2.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to use RDP to connect to victim's machines.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has used rundll32.exe to execute DLLs.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to identify the OS version, OS bit information and computer name.(Citation: Proofpoint TA505 October 2019)(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) can collected the country code of a compromised machine.(Citation: Korean FSI TA505 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to determine the domain name and whether a proxy is configured on a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to identify the user on a compromised host.(Citation: Proofpoint TA505 October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[SDBbot](https://attack.mitre.org/software/S0461) has the ability to record video on a compromised host.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SDBbot", "color": "#66b1ff"}]}