{"description": "Enterprise techniques used by Pillowmint, ATT&CK software S0517 (v1.2)", "name": "Pillowmint (S0517)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1560", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has encrypted stolen credit card information with AES and further encoded it with Base64.(Citation: Trustwave Pillowmint June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has used a PowerShell script to install a shim database.(Citation: Trustwave Pillowmint June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has collected credit card data using native API functions.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has been decompressed by included shellcode prior to being launched.(Citation: Trustwave Pillowmint June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.011", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has used a malicious shim database to maintain persistence.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has deleted the filepath %APPDATA%\\Intel\\devmonsrv.exe.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) can uninstall the malicious service from an infected machine.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has modified the Registry key HKLM\\SOFTWARE\\Microsoft\\DRM to store a malicious payload.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has used multiple native Windows APIs to execute and conduct process injections.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has obfuscated the AES key used for encryption.(Citation: Trustwave Pillowmint June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has stored a compressed payload in the Registry key HKLM\\SOFTWARE\\Microsoft\\DRM.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has been compressed and stored within a registry key.(Citation: Trustwave Pillowmint June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) can iterate through running processes every six seconds collecting a list of processes to capture from later.(Citation: Trustwave Pillowmint June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has used the NtQueueApcThread syscall to inject code into svchost.exe.(Citation: Trustwave Pillowmint June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Pillowmint](https://attack.mitre.org/software/S0517) has used shellcode which reads code stored in the registry keys \\REGISTRY\\SOFTWARE\\Microsoft\\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces as part of its C2.(Citation: Trustwave Pillowmint June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Pillowmint", "color": "#66b1ff"}]}