{"description": "Enterprise techniques used by FoggyWeb, ATT&CK software S0661 (v1.1)", "name": "FoggyWeb (S0661)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) has the ability to communicate with C2 servers over HTTP GET/POST requests.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can invoke the `Common.Compress` method to compress data with the C# GZipStream compression class.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.003", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, [FoggyWeb](https://attack.mitre.org/software/S0661) can encode C2 command output within a legitimate WebP file.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can retrieve configuration data from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) has used a dynamic XOR key and custom XOR methodology for C2 communications.(Citation: MSTIC FoggyWeb September 2021)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can remotely exfiltrate sensitive information from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader can check for the [FoggyWeb](https://attack.mitre.org/software/S0661) backdoor .pri file on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, [FoggyWeb](https://attack.mitre.org/software/S0661)'s loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader can use API functions to load the [FoggyWeb](https://attack.mitre.org/software/S0661) backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.004", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) has been XOR-encoded.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's Microsoft.IdentityServer.ServiceHost.exe process.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader has reflectively loaded .NET-based assembly/payloads into memory.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661)'s loader can call the load() function to load the [FoggyWeb](https://attack.mitre.org/software/S0661) dll into an Application Domain on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "comment": "[FoggyWeb](https://attack.mitre.org/software/S0661) can allow abuse of a compromised AD FS server's SAML token.(Citation: MSTIC FoggyWeb September 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FoggyWeb", "color": "#66b1ff"}]}