{"description": "Enterprise techniques used by SUNSPOT, ATT&CK software S0562 (v1.2)", "name": "SUNSPOT (S0562)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) modified its security token to grants itself debugging privileges by adding SeDebugPrivilege.(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1565", "showSubtechniques": true}, {"techniqueID": "T1565.001", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) created a copy of the SolarWinds Orion software source file with a .bk extension to backup the original content, wrote [SUNBURST](https://attack.mitre.org/software/S0559) using the same filename but with a .tmp extension, and then moved [SUNBURST](https://attack.mitre.org/software/S0559) using MoveFileEx to the original filename with a .cs extension so it could be compiled within Orion software.(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) decrypts [SUNBURST](https://attack.mitre.org/software/S0559), which was stored in AES128-CBC encrypted blobs.(Citation: CrowdStrike SUNSPOT Implant January 2021)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.(Citation: CrowdStrike SUNSPOT Implant January 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) creates a mutex using the hard-coded value ` {12d61a41-4b74-7610-a4d8-3028d2f56395}` to ensure that only one instance of itself is running.(Citation: CrowdStrike SUNSPOT Implant January 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) enumerated the Orion software Visual Studio solution directory path.(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "Following the successful injection of [SUNBURST](https://attack.mitre.org/software/S0559), [SUNSPOT](https://attack.mitre.org/software/S0562) deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library.(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\\Windows\\Temp\\vmware-vmdmp.log.(Citation: CrowdStrike SUNSPOT Implant January 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the [SUNBURST](https://attack.mitre.org/software/S0559) injection process.(Citation: CrowdStrike SUNSPOT Implant January 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for [SUNBURST](https://attack.mitre.org/software/S0559) source code and data extracted from the SolarWinds Orion  process.(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) monitored running processes for instances of MsBuild.exe by hashing the name of each running process and comparing it to the corresponding value 0x53D525. It also extracted command-line arguments and individual arguments from the running MsBuild.exe process to identify the directory path of the Orion software Visual Studio solution.(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1195", "showSubtechniques": true}, {"techniqueID": "T1195.002", "comment": "[SUNSPOT](https://attack.mitre.org/software/S0562) malware was designed and used to insert [SUNBURST](https://attack.mitre.org/software/S0559) into software builds of the SolarWinds Orion IT management product.(Citation: CrowdStrike SUNSPOT Implant January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SUNSPOT", "color": "#66b1ff"}]}