{"description": "Enterprise techniques used by SoreFang, ATT&CK software S0516 (v1.0)", "name": "SoreFang (S0516)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can collect usernames from the local system via net.exe user.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can enumerate domain accounts via net.exe user /domain.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can use HTTP in C2 communications.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can decode and decrypt exfiltrated data sent to C2.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) has the ability to list directories.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can download additional payloads from C2.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) has the ability to encode and RC6 encrypt data sent to C2.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can enumerate domain groups by executing net.exe group /domain.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can enumerate processes on a victim machine through use of [Tasklist](https://attack.mitre.org/software/S0057).(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can gain persistence through use of scheduled tasks.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing [Systeminfo](https://attack.mitre.org/software/S0096).(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[SoreFang](https://attack.mitre.org/software/S0516) can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all.(Citation: CISA SoreFang July 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SoreFang", "color": "#66b1ff"}]}