{"description": "Enterprise techniques used by Clambling, ATT&CK software S0660 (v1.0)", "name": "Clambling (S0660)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to bypass UAC using a `passuac.dll` file.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to use Telnet for communication.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to communicate over HTTP.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can establish persistence by adding a Registry run key.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to capture and store clipboard data.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "The [Clambling](https://attack.mitre.org/software/S0660) dropper can use PowerShell to download the malware.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can use cmd.exe for command execution.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can register itself as a system service to gain persistence.(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can collect information from a compromised host.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can deobfuscate its payload prior to execution.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can send files from a victim's machine to Dropbox.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can browse directories on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to set its file attributes to hidden.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can set and delete Registry keys.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to enumerate network shares.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to use TCP and UDP for communication.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "The [Clambling](https://attack.mitre.org/software/S0660) executable has been obfuscated when dropped on a compromised host.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has been delivered to victim's machines through malicious e-mail attachments.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can enumerate processes on a targeted system.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can inject into the `svchost.exe` process for execution.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can execute binaries through process hollowing.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to enumerate Registry keys, including KEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\\strDataDir to search for a bitcoin wallet.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has the ability to capture screenshots.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can discover the hostname, computer name, and Windows version of a targeted machine.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can enumerate the IP address of a compromised machine.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can identify the username on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can create and start services on a compromised host.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can determine the current time.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Clambling](https://attack.mitre.org/software/S0660) has gained execution through luring victims into opening malicious files.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can record screen content in AVI format.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can wait 30 minutes before initiating contact with C2.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Clambling](https://attack.mitre.org/software/S0660) can use Dropbox to download malicious payloads, send commands, and receive information.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Clambling", "color": "#66b1ff"}]}