{"description": "Enterprise techniques used by NativeZone, ATT&CK software S0637 (v1.0)", "name": "NativeZone (S0637)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1140", "comment": "[NativeZone](https://attack.mitre.org/software/S0637) can decrypt and decode embedded  [Cobalt Strike](https://attack.mitre.org/software/S0154) beacon stage shellcode.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[NativeZone](https://attack.mitre.org/software/S0637) can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[NativeZone](https://attack.mitre.org/software/S0637) has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.(Citation: SentinelOne NobleBaron June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[NativeZone](https://attack.mitre.org/software/S0637) has used rundll32 to execute a malicious DLL.(Citation: SentinelOne NobleBaron June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[NativeZone](https://attack.mitre.org/software/S0637) can display an RTF document to the user  to enable execution of  [Cobalt Strike](https://attack.mitre.org/software/S0154) stage shellcode.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[NativeZone](https://attack.mitre.org/software/S0637) has checked if Vmware or VirtualBox VM is running on a compromised host.(Citation: MSTIC Nobelium Toolset May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by NativeZone", "color": "#66b1ff"}]}