{"description": "Enterprise techniques used by BackConfig, ATT&CK software S0475 (v1.1)", "name": "BackConfig (S0475)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to use HTTPS for C2 communiations.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) can download and run batch files to execute commands on a compromised host.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has used VBS to install its downloader component and malicious documents with VBA macro code.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has used a custom routine to decrypt strings.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to identify folders and files related to previous infections.(Citation: Unit 42 BackConfig May 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to set folders or files to be hidden from the Windows Explorer default view.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to remove files and folders related to previous infections.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) can download and execute additional payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has hidden malicious payloads in %USERPROFILE%\\Adobe\\Driver\\dwg\\ and mimicked the legitimate DHCP service binary.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has used compressed and decimal encoded VBS scripts.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "showSubtechniques": true}, {"techniqueID": "T1137.001", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has been signed with self signed digital certificates mimicking a legitimate software company.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has the ability to gather the victim's computer name.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[BackConfig](https://attack.mitre.org/software/S0475) has compromised victims via links to URLs hosting malicious content.(Citation: Unit 42 BackConfig May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BackConfig", "color": "#66b1ff"}]}