{"description": "Enterprise techniques used by Turian, ATT&CK software S0647 (v1.0)", "name": "Turian (S0647)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Turian](https://attack.mitre.org/software/S0647) has the ability to use HTTP for its C2.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Turian](https://attack.mitre.org/software/S0647) can use WinRAR to create a password-protected archive for files of interest.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Turian](https://attack.mitre.org/software/S0647) can establish persistence by adding Registry Run keys.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Turian](https://attack.mitre.org/software/S0647) can create a remote shell and execute commands using [cmd](https://attack.mitre.org/software/S0106).(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Turian](https://attack.mitre.org/software/S0647) has the ability to use /bin/sh to execute commands.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Turian](https://attack.mitre.org/software/S0647) has the ability to use Python to spawn a Unix shell.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.001", "comment": "[Turian](https://attack.mitre.org/software/S0647) can insert pseudo-random characters into its network encryption setup.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Turian](https://attack.mitre.org/software/S0647) can store copied files in a specific directory prior to exfiltration.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Turian](https://attack.mitre.org/software/S0647) has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Turian](https://attack.mitre.org/software/S0647) can search for specific files and list directories.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Turian](https://attack.mitre.org/software/S0647) can download additional files and tools from its C2.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Turian](https://attack.mitre.org/software/S0647) can disguise as a legitimate service to blend into normal operations.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[Turian](https://attack.mitre.org/software/S0647) can use VMProtect for obfuscation.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[Turian](https://attack.mitre.org/software/S0647) can scan for removable media to collect data.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Turian](https://attack.mitre.org/software/S0647) has the ability to take screenshots.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Turian](https://attack.mitre.org/software/S0647) can retrieve system information including OS version, memory usage, local hostname, and system adapter information.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Turian](https://attack.mitre.org/software/S0647) can retrieve the internal IP address of a compromised host.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Turian](https://attack.mitre.org/software/S0647) can retrieve usernames.(Citation: ESET BackdoorDiplomacy Jun 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Turian", "color": "#66b1ff"}]}