{"description": "Enterprise techniques used by Kobalos, ATT&CK software S0641 (v1.0)", "name": "Kobalos (S0641)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.(Citation: ESET Kobalos Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1554", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.(Citation: ESET Kobalos Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration.(Citation: ESET Kobalos Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) decrypts strings right after the initial communication, but before the authentication process.(Citation: ESET Kobalos Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Kobalos](https://attack.mitre.org/software/S0641)'s post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[Kobalos](https://attack.mitre.org/software/S0641)'s authentication and key exchange is performed using RSA-512.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can exfiltrate credentials over the network via UDP.(Citation: ESET Kobalos Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.003", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can remove all command history on compromised hosts.(Citation: ESET Kobalos Feb 2021)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy [Kobalos](https://attack.mitre.org/software/S0641).(Citation: ESET Kobalos Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) encrypts all strings using RC4 and bundles all functionality into a single function call.(Citation: ESET Kobalos Feb 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can chain together multiple compromised machines as proxies to reach their final targets.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can record the hostname and kernel version of the target machine.(Citation: ESET Kobalos Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) can record the IP address of the target machine.(Citation: ESET Kobalos Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[Kobalos](https://attack.mitre.org/software/S0641) is triggered by an incoming TCP connection to a legitimate service from a specific source port.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Kobalos", "color": "#66b1ff"}]}