{"description": "Enterprise techniques used by WindTail, ATT&CK software S0466 (v1.1)", "name": "WindTail (S0466)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to use HTTP for C2 communications.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to use the macOS built-in zip utility to archive files.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[WindTail](https://attack.mitre.org/software/S0466) can identify and add files that possess specific file extensions to an array for archiving.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[WindTail](https://attack.mitre.org/software/S0466) can use the open command to execute an application.(Citation: objective-see windtail1 dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to decrypt strings using hard-coded AES keys.(Citation: objective-see windtail1 dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "showSubtechniques": true}, {"techniqueID": "T1048.003", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to enumerate the users home directory and the path to its own application bundle.(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[WindTail](https://attack.mitre.org/software/S0466) can instruct the OS to execute an application without a dock icon or menu.(Citation: objective-see windtail1 dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to receive and execute a self-delete command.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has used icons mimicking MS Office files to mask payloads.(Citation: objective-see windtail1 dec 2018)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.001", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has been incompletely signed with revoked certificates.(Citation: objective-see windtail1 dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[WindTail](https://attack.mitre.org/software/S0466) can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[WindTail](https://attack.mitre.org/software/S0466) can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[WindTail](https://attack.mitre.org/software/S0466) can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[WindTail](https://attack.mitre.org/software/S0466) has the ability to generate the current date and time.(Citation: objective-see windtail1 dec 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by WindTail", "color": "#66b1ff"}]}