{"description": "Enterprise techniques used by StrongPity, ATT&CK software S0491 (v1.1)", "name": "StrongPity (S0491)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can use HTTP and HTTPS in C2 communications.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can automatically exfiltrate collected documents to the C2 server.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can use the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Registry key for persistence.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can use PowerShell to add files to the Windows Defender exclusions list.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has created new services and modified existing services for persistence.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has encrypted C2 traffic using SSL/TLS.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can exfiltrate collected documents through C2 channels.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can parse the hard drive on a compromised host to identify specific file extensions.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has the ability to hide the console window for its document search module from the user.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can add directories used by the malware to the Windows Defender exclusions list to prevent detection.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can delete previously exfiltrated files from the compromised host.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can download files to specified targets.(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has been bundled with legitimate software installation files for disguise.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1571", "comment": "\n[StrongPity](https://attack.mitre.org/software/S0491) has used HTTPS over port 1402 in C2 communication.(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has used encrypted strings in its dropper component.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can determine if a user is logged in by checking to see if explorer.exe is running.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can identify if ESET or BitDefender antivirus are installed before dropping its payload.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has been signed with self-signed certificates.(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can identify the hard disk volume serial number on a compromised host.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can identify the IP address of a compromised host.(Citation: Talos Promethium June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) can install a service to execute itself as a service.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[StrongPity](https://attack.mitre.org/software/S0491) has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by StrongPity", "color": "#66b1ff"}]}