{"description": "Enterprise techniques used by TAINTEDSCRIBE, ATT&CK software S0586 (v1.0)", "name": "TAINTEDSCRIBE (S0586)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1560", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) has used FileReadZipSend to compress a file and send to C2.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can copy itself into the current user\u2019s Startup folder as \u201cNarrator.exe\u201d for persistence.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can enable Windows CLI access and execute files.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) has used FakeTLS for session authentication.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can use DirectoryList to enumerate files in a specified directory.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can delete files from a compromised host.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can change the timestamp of specified filenames.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can download additional modules from its C2 server.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "The [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) main executable has disguised itself as Microsoft\u2019s Narrator.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can execute FileRecvWriteRand to append random bytes to the end of a file received from C2.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can execute ProcessList for process discovery.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "The [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) command and execution module can perform target system enumeration.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can use DriveList to retrieve drive information.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) can execute GetLocalTime for time discovery.(Citation: CISA MAR-10288834-2.v1  TAINTEDSCRIBE MAY 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TAINTEDSCRIBE", "color": "#66b1ff"}]}