{"description": "Enterprise techniques used by SombRAT, ATT&CK software S0615 (v1.2)", "name": "SombRAT (S0615)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can communicate over DNS with the C2 server.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has encrypted collected data with AES-256 using a hardcoded key.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has collected data and files from a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can store harvested data in a custom database under the %TEMP% directory.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can run upload to decrypt and upload files from storage.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can use a custom DGA to generate a subdomain for C2.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has encrypted its C2 communications with AES.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can SSL encrypt C2 traffic.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has uploaded collected data and files from a compromised host to its C2 server.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can execute enum to enumerate files in storage on a compromised system.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.010", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has the ability to modify its process memory to hide process command-line arguments.(Citation: FireEye FiveHands April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": " [SombRAT](https://attack.mitre.org/software/S0615) has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has the ability to download and execute additional payloads.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can use a legitimate process name to hide itself.(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has the ability to respawn itself using ShellExecuteW and CreateProcessW.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has the ability to use TCP sockets to send data and ICMP to ping the C2 server.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can use the getprocesslist command to enumerate processes on a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL  from disk, storage, or memory respectively.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) has the ability to use an embedded SOCKS proxy in C2 communications.(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can execute getinfo to enumerate the computer name and OS version of a compromised system.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can execute getinfo  to identify the username on a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can enumerate services on a victim machine.(Citation: BlackBerry CostaRicto November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[SombRAT](https://attack.mitre.org/software/S0615) can execute getinfo  to discover the current time on a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SombRAT", "color": "#66b1ff"}]}