{"description": "Enterprise techniques used by Conficker, ATT&CK software S0608 (v1.0)", "name": "Conficker (S0608)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Conficker](https://attack.mitre.org/software/S0608) adds Registry Run keys to establish persistence.(Citation: Trend Micro Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Conficker](https://attack.mitre.org/software/S0608) copies itself into the %systemroot%\\system32 directory and registers as a service.(Citation: SANS Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[Conficker](https://attack.mitre.org/software/S0608) has used a DGA that seeds with the current UTC victim system date to generate domains.(Citation: SANS Conficker)(Citation: Trend Micro Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1210", "comment": "[Conficker](https://attack.mitre.org/software/S0608) exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.(Citation: SANS Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Conficker](https://attack.mitre.org/software/S0608) terminates various services related to system security and Windows.(Citation: SANS Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Conficker](https://attack.mitre.org/software/S0608) downloads an HTTP server to the infected machine.(Citation: SANS Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Conficker](https://attack.mitre.org/software/S0608) resets system restore points and deletes backup files.(Citation: SANS Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Conficker](https://attack.mitre.org/software/S0608) adds keys to the Registry at HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services and various other Registry locations.(Citation: SANS Conficker)(Citation: Trend Micro Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Conficker](https://attack.mitre.org/software/S0608) scans for other machines to infect.(Citation: SANS Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Conficker](https://attack.mitre.org/software/S0608) has obfuscated its code to prevent its removal from host machines.(Citation: Trend Micro Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Conficker](https://attack.mitre.org/software/S0608) variants spread through NetBIOS share propagation.(Citation: SANS Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "[Conficker](https://attack.mitre.org/software/S0608) variants used the Windows AUTORUN feature to spread through USB propagation.(Citation: SANS Conficker)(Citation: Trend Micro Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[Conficker](https://attack.mitre.org/software/S0608) uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.(Citation: SANS Conficker)(Citation: Trend Micro Conficker)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Conficker", "color": "#66b1ff"}]}