{"description": "Enterprise techniques used by SMOKEDHAM, ATT&CK software S0649 (v1.2)", "name": "SMOKEDHAM (S0649)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used net.exe user and net.exe users to enumerate local accounts on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.007", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has added user accounts to local Admin groups.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has communicated with its C2 servers via HTTPS and HTTP POST requests.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used reg.exe to create a Registry Run key.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) can execute Powershell commands sent from its C2 server.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has created user accounts.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has encoded its C2 traffic with Base64.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has encrypted its C2 traffic with RC4.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has exfiltrated data to its C2 server.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.002", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has modified the Registry to hide created user accounts from the Windows logon screen. (Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used Powershell to download UltraVNC and [ngrok](https://attack.mitre.org/software/S0508) from third-party file sharing sites.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) can continuously capture keystrokes.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "The [SMOKEDHAM](https://attack.mitre.org/software/S0649) source code is embedded in the dropper as an encrypted string.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has been delivered via malicious links in phishing emails.(Citation: FireEye Shining A Light on DARKSIDE May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.004", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used a fronted domain to obfuscate its hard-coded C2 server domain.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) can capture screenshots of the victim\u2019s desktop.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used the systeminfo command on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used whoami commands to identify system owners.(Citation: FireEye SMOKEDHAM June 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has relied upon users clicking on a malicious link delivered through phishing.(Citation: FireEye Shining A Light on DARKSIDE May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[SMOKEDHAM](https://attack.mitre.org/software/S0649) has used Google Drive and Dropbox to host files downloaded by victims via malicious links.(Citation: FireEye Shining A Light on DARKSIDE May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SMOKEDHAM", "color": "#66b1ff"}]}