{"description": "Enterprise techniques used by RegDuke, ATT&CK software S0511 (v1.1)", "name": "RegDuke (S0511)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can extract and execute PowerShell scripts from C2 communications.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can decrypt strings with a key either stored in the Registry or hardcoded in the code.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can download files from C2.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can create seemingly legitimate Registry key to store its encryption key.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can use control-flow flattening or the commercially available .NET Reactor for obfuscation.(Citation: ESET Dukes October 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can hide data in images, including use of the Least Significant Bit (LSB).(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can store its encryption key in the Registry.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[RegDuke](https://attack.mitre.org/software/S0511) can use Dropbox as its C2 server.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RegDuke", "color": "#66b1ff"}]}