{"description": "Enterprise techniques used by Siloscape, ATT&CK software S0623 (v1.0)", "name": "Siloscape (S0623)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) connects to an IRC server for C2.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) can run cmd through an IRC channel.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1609", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) has decrypted the password of the C2 server with a simple byte by byte XOR. [Siloscape](https://attack.mitre.org/software/S0623) also writes both an archive of [Tor](https://attack.mitre.org/software/S0183) and the unzip binary to disk from data embedded within the payload using Visual Studio\u2019s Resource Manager.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1611", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) maps the host\u2019s C drive to the container by creating a global symbolic link to the host through the calling of NtSetInformationSymbolicLink.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) is executed after the attacker gains initial access to a Windows container using a known vulnerability.(Citation: Unit 42 Siloscape Jun 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) has leveraged a vulnerability in Windows containers to perform an [Escape to Host](https://attack.mitre.org/techniques/T1611).(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": " [Siloscape](https://attack.mitre.org/software/S0623) searches for the Kubernetes config file and other related files using a regular expression.(Citation: Unit 42 Siloscape Jun 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) makes various native API calls.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) itself is obfuscated and uses obfuscated API calls.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) checks for Kubernetes node permissions.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) uses [Tor](https://attack.mitre.org/software/S0183) to communicate with C2.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "[Siloscape](https://attack.mitre.org/software/S0623) searches for the kubectl binary.(Citation: Unit 42 Siloscape Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Siloscape", "color": "#66b1ff"}]}