{"description": "Enterprise techniques used by KGH_SPY, ATT&CK software S0526 (v1.1)", "name": "KGH_SPY (S0526)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can send data to C2 with HTTP POST requests.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "showSubtechniques": true}, {"techniqueID": "T1037.001", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) has the ability to set the HKCU\\Environment\\UserInitMprLogonScript Registry key to execute logon scripts.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can execute PowerShell commands on the victim's machine.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) has the ability to set a Registry key to run a cmd.exe command.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can collect credentials from WINSCP.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.004", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can collect credentials from the Windows Credential Manager.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can send a file containing victim system information to C2.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can save collected system information to a file named \"info\" before exfiltration.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can decrypt encrypted strings and write them to a newly created folder.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can harvest data from mail clients.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can exfiltrate collected information from the host to the C2 server.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can enumerate files and directories on a compromised host.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) has the ability to download and execute code from remote servers.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can perform keylogging by polling the GetAsyncKeyState() function.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) has masqueraded as a legitimate Windows tool.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) has used encrypted strings in its installer.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can collect information on installed applications.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) can collect drive information from a compromised host.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[KGH_SPY](https://attack.mitre.org/software/S0526) has been spread through Word documents containing malicious macros.(Citation: Cybereason Kimsuky November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by KGH_SPY", "color": "#66b1ff"}]}