{"description": "Enterprise techniques used by Egregor, ATT&CK software S0554 (v1.0)", "name": "Egregor (S0554)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has communicated with its C2 servers via HTTPS protocol.(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1197", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used BITSadmin to download and execute malicious DLLs.(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used an encoded PowerShell command by a service created by [Cobalt Strike](https://attack.mitre.org/software/S0154) for lateral movement.(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used batch files for execution and can launch Internet Explorer from cmd.exe.(Citation: JoeSecurity Egregor 2020)(Citation: Cybereason Egregor Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cybereason Egregor Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1039", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can collect any files found in the enumerated drivers before sending it to its C2 channel.(Citation: NHS Digital Egregor Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has been decrypted before execution.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cybereason Egregor Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can modify the GPO to evade detection.(Citation: Cybereason Egregor Nov 2020) (Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used DLL side-loading to execute its payload.(Citation: Cyble Egregor Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has disabled Windows Defender to evade protections.(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has the ability to download files from its C2 server.(Citation: Cybereason Egregor Nov 2020)(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has masqueraded the svchost.exe process to exfiltrate data.(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used the Windows API to make detection more difficult.(Citation: Cyble Egregor Oct 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Egregor](https://attack.mitre.org/software/S0554)'s payloads are custom-packed, archived and encrypted to prevent analysis.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can conduct Active Directory reconnaissance using tools such as Sharphound or [AdFind](https://attack.mitre.org/software/S0552).(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can inject its payload into iexplore.exe process.(Citation: Cyble Egregor Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has checked for the LogMein event log in an attempt to encrypt files in remote machines.(Citation: Cyble Egregor Oct 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used regsvr32.exe to execute malicious DLLs.(Citation: JoeSecurity Egregor 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used rundll32 during execution.(Citation: Cybereason Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can perform a language check of the infected system and can query the CPU information (cupid).(Citation: JoeSecurity Egregor 2020)(Citation: NHS Digital Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can enumerate all connected drives.(Citation: NHS Digital Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used tools to gather information about users.(Citation: Intrinsec Egregor Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Egregor](https://attack.mitre.org/software/S0554) contains functionality to query the local/system time.(Citation: JoeSecurity Egregor 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "comment": "[Egregor](https://attack.mitre.org/software/S0554) has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.(Citation: Cyble Egregor Oct 2020)(Citation: NHS Digital Egregor Nov 2020) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Egregor](https://attack.mitre.org/software/S0554) can perform a  long sleep (greater than or equal to 3 minutes) to evade detection.(Citation: JoeSecurity Egregor 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Egregor", "color": "#66b1ff"}]}