{"description": "Enterprise techniques used by RDAT, ATT&CK software S0495 (v1.0)", "name": "RDAT (S0495)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.(Citation: Unit42 RDAT July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can use email attachments for C2 communications.(Citation: Unit42 RDAT July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has used DNS to communicate with the C2.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has executed commands using cmd.exe /c.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has created a service when it is installed on the victim machine.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can communicate with the C2 via base32-encoded subdomains.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can communicate with the C2 via subdomains that utilize base64 with character substitutions.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.(Citation: Unit42 RDAT July 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can process steganographic images attached to email messages to send and receive C2 commands. [RDAT](https://attack.mitre.org/software/S0495) can also embed additional messages within BMP images to communicate with the [RDAT](https://attack.mitre.org/software/S0495) operator.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1030", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. [RDAT](https://attack.mitre.org/software/S0495) can also download data from the C2 which is split into 81,920-byte portions.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has used AES ciphertext to encode C2 communications.(Citation: Unit42 RDAT July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.(Citation: Unit42 RDAT July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has used HTTP if DNS C2 communications were not functioning.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can issue SOAP requests to delete already processed C2 emails. [RDAT](https://attack.mitre.org/software/S0495) can also delete itself from the infected system.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can download files via DNS.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has used Windows Video Service as a name for malicious services.(Citation: Unit42 RDAT July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[RDAT](https://attack.mitre.org/software/S0495) has masqueraded as VMware.exe.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can also embed data within a BMP image prior to exfiltration.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[RDAT](https://attack.mitre.org/software/S0495) can take a screenshot on the infected system.(Citation: Unit42 RDAT July 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RDAT", "color": "#66b1ff"}]}