{"description": "Enterprise techniques used by BLINDINGCAN, ATT&CK software S0520 (v1.1)", "name": "BLINDINGCAN (S0520)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has used HTTPS over port 443 for command and control.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has executed commands via cmd.exe.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has encoded its C2 traffic with Base64.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": " [BLINDINGCAN](https://attack.mitre.org/software/S0520) has uploaded files from victim machines.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has used AES and XOR to decrypt its DLLs.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has encrypted its C2 traffic with RC4.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has sent user and system information to a C2 server via HTTP POST requests.(Citation: NHS UK BLINDINGCAN Aug 2020)(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) can search, read, write, move, and execute files.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has deleted itself and associated artifacts from victim machines.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has modified file and directory timestamps.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has downloaded files to a victim machine.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has attempted to hide its payload by using legitimate file names such as \"iconcache.db\".(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has been packed with the UPX packer.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has obfuscated code using Base64 encoding.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has been delivered by phishing emails containing malicious Microsoft Office documents.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has loaded and executed DLLs in memory during runtime on a victim machine.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has been signed with code-signing certificates such as CodeRipper.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has used Rundll32 to load a malicious DLL.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has collected the victim machine's local IP address information and MAC address.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[BLINDINGCAN](https://attack.mitre.org/software/S0520) has lured victims into executing malicious macros embedded within Microsoft Office documents.(Citation: US-CERT BLINDINGCAN Aug 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by BLINDINGCAN", "color": "#66b1ff"}]}