{"description": "Enterprise techniques used by Carberp, ATT&CK software S0484 (v1.2)", "name": "Carberp (S0484)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has connected to C2 servers via HTTP.(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has maintained persistence by placing itself inside the current user's startup folder.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has captured credentials when a user performs login through a SSL session.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "comment": "[Carberp](https://attack.mitre.org/software/S0484)'s passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Carberp](https://attack.mitre.org/software/S0484)'s passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has exfiltrated data via HTTP to already established C2 servers.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.(Citation: ESET Carberp March 2012)(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has created a hidden file in the Startup folder of the current user.(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Carberp](https://attack.mitre.org/software/S0484) can download and execute new plugins from the C2 server. (Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has hooked several Windows API functions to steal credentials.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has masqueraded as Windows system file names, as well as \"chkntfs.exe\" and \"syscron.exe\".(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has used XOR-based encryption to mask C2 server locations within the trojan.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "showSubtechniques": true}, {"techniqueID": "T1542.003", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has installed a bootkit on the system to maintain persistence.(Citation: ESET Carberp March 2012)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has collected a list of running processes.(Citation: Trusteer Carberp October 2010)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Carberp](https://attack.mitre.org/software/S0484)'s bootkit can inject a malicious DLL into the address space of running processes.(Citation: ESET Carberp March 2012)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has queued an APC routine to explorer.exe by calling ZwQueueApcThread.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has searched the Image File Execution Options registry key for \"Debugger\" within every subkey.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "[Carberp](https://attack.mitre.org/software/S0484) can start a remote VNC session by downloading a new plugin.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has used user mode rootkit techniques to remain hidden on the system.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Carberp](https://attack.mitre.org/software/S0484) can capture display screenshots with the screens_dll.dll plugin.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has queried the infected system's registry searching for specific registry keys associated with antivirus products.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has collected the operating system version from the infected system.(Citation: Prevx Carberp March 2011)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "comment": "[Carberp](https://attack.mitre.org/software/S0484) has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.(Citation: ESET Carberp March 2012)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Carberp", "color": "#66b1ff"}]}