{"description": "Enterprise techniques used by PolyglotDuke, ATT&CK software S0518 (v1.1)", "name": "PolyglotDuke (S0518)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) has has used HTTP GET requests in C2 communications.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use a custom algorithm to decrypt strings used by the malware.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can retrieve payloads from the C2 server.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can write encrypted JSON configuration files to the Registry.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use LoadLibraryW and CreateProcess to load and execute code.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can custom encrypt strings.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use steganography to hide C2 information in images.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can store encrypted JSON configuration files in the Registry.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can be executed using rundll32.exe.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use Twitter, Reddit, Imgur and other websites to get a C2 URL.(Citation: ESET Dukes October 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PolyglotDuke", "color": "#66b1ff"}]}