{"description": "Enterprise techniques used by RCSession, ATT&CK software S0662 (v1.2)", "name": "RCSession (S0662)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can bypass UAC to escalate privileges.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can use HTTP in C2 communications.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[RCSession](https://attack.mitre.org/software/S0662) has the ability to modify a Registry Run key to establish persistence.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can use `cmd.exe` for execution on compromised hosts.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can collect data from a compromised host.(Citation: Profero APT27 December 2020)(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can use an encrypted beacon to check in with C2.(Citation: Secureworks BRONZE PRESIDENT December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can be installed via DLL side-loading.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can remove files from a targeted system.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[RCSession](https://attack.mitre.org/software/S0662) has the ability to drop additional files to an infected machine.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[RCSession](https://attack.mitre.org/software/S0662) has the ability to capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[RCSession](https://attack.mitre.org/software/S0662) has used a file named English.rtf to appear benign on victim hosts.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can write its configuration file to the Registry.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can use WinSock API for communication including WSASend and WSARecv.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[RCSession](https://attack.mitre.org/software/S0662) has the ability to use TCP and UDP in C2 communications.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can store its obfuscated configuration file in the Registry under `HKLM\\SOFTWARE\\Plus` or `HKCU\\SOFTWARE\\Plus`.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can compress and obfuscate its strings to evade detection on a compromised host.(Citation: Trend Micro DRBControl February 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can identify processes based on PID.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can launch itself from a hollowed svchost.exe process.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can capture screenshots from a compromised host.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[RCSession](https://attack.mitre.org/software/S0662) has the ability to execute inside the msiexec.exe process.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can gather system information from a compromised host.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[RCSession](https://attack.mitre.org/software/S0662) can gather system owner information, including user and administrator privileges.(Citation: Profero APT27 December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by RCSession", "color": "#66b1ff"}]}