{"description": "Enterprise techniques used by GoldenSpy, ATT&CK software S0493 (v1.1)", "name": "GoldenSpy (S0493)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) has used the Ryeol HTTP Client to facilitate HTTP internet communication.(Citation: Trustwave GoldenSpy June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) can execute remote commands via the command-line interface.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) can create new users on an infected system.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) has established persistence by running in the background as an autostart service.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) has exfiltrated host environment information to an external C2 domain via port 9006.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) has included a program \"ExeProtector\", which monitors for the existence of [GoldenSpy](https://attack.mitre.org/software/S0493) on the infected system and redownloads if necessary.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.(Citation: Trustwave GoldenSpy2 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) constantly attempts to download and execute files from the remote C2, including [GoldenSpy](https://attack.mitre.org/software/S0493) itself if not found on the system.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s setup file installs initial executables under the folder %WinDir%\\System32\\PluginManager.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) can execute remote commands in the Windows command shell using the WinExec() API.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.(Citation: Trustwave GoldenSpy June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s uninstaller has base64-encoded its variables. (Citation: Trustwave GoldenSpy2 June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1195", "showSubtechniques": true}, {"techniqueID": "T1195.002", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) has been packaged with a legitimate tax preparation software.(Citation: Trustwave GoldenSpy June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493) has gathered operating system information.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s installer has delayed installation of [GoldenSpy](https://attack.mitre.org/software/S0493) for two hours after it reaches a victim system.(Citation: Trustwave GoldenSpy June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by GoldenSpy", "color": "#66b1ff"}]}