{"description": "Enterprise techniques used by Bad Rabbit, ATT&CK software S0606 (v1.1)", "name": "Bad Rabbit (S0606)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has attempted to bypass UAC and gain elevated administrative privileges.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606)\u2019s infpub.dat file uses NTLM login credentials to brute force Windows machines.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has encrypted files and disks using AES-128-CBC and RSA-2048.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1189", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file.(Citation: ESET Bad Rabbit)(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) used the EternalRomance SMB exploit to spread through victim networks.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1495", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has used an executable that installs a modified bootloader to prevent normal boot-up.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has masqueraded as a Flash Player installer through the executable file install_flash_player.exe.(Citation: ESET Bad Rabbit)(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has used various Windows API calls.(Citation: ESET Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) enumerates open SMB shares on internal victim networks.(Citation: ESET Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has used [Mimikatz](https://attack.mitre.org/software/S0002) to harvest credentials from the victim's machine.(Citation: ESET Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can enumerate all running processes to compare hashes.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606)\u2019s infpub.dat file creates a scheduled task to launch a malicious executable.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Bad Rabbit](https://attack.mitre.org/software/S0606) has been executed through user installation of an executable disguised as a flash installer.(Citation: ESET Bad Rabbit)(Citation: Secure List Bad Rabbit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Bad Rabbit", "color": "#66b1ff"}]}