{"description": "Enterprise techniques used by WarzoneRAT, ATT&CK software S0670 (v1.1)", "name": "WarzoneRAT (S0670)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions [WarzoneRAT](https://attack.mitre.org/software/S0670) can use the IFileOperation exploit to bypass the UAC module.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can add itself to the `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` and `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UIF2IS20VK` Registry keys.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can use PowerShell to download files and execute commands.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can use `cmd.exe` to execute malicious code.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can collect data from a compromised host.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can use XOR 0x45 to decrypt obfuscated code.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can encrypt its C2 with RC4 with the password `warzone160\\x00`.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.015", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670)  can perform COM hijacking by setting the path to itself to the `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` key with a `DelegateExecute` parameter.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can send collected victim data to its C2 server.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can enumerate directories on a compromise host.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can masquerade the Process Environment Block on a compromised host to hide its attempts to elevate privileges through `IFileOperation`.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "WarzoneRAT has the ability of performing remote desktop access via a hVNC window for decreased visibility.(Citation: Bitdefender Trickbot VNC module Whitepaper 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can disarm Windows Defender during the UAC process to evade detection.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can download and execute additional files.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has the capability to install a live and offline keylogger, including through the use of the `GetAsyncKeyState` Windows API.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can create `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` as a new registry key during privilege escalation.(Citation: Uptycs Warzone UAC Bypass November 2020)(Citation: Check Point Warzone Feb 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can use a variety of API calls on a compromised host.(Citation: Uptycs Warzone UAC Bypass November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can communicate with its C2 server via TCP over port 5200.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has been distributed as a malicious attachment within an email.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can obtain a list of processes on a compromised host.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has the ability to inject malicious DLLs into a specific process for privilege escalation.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has the capability to act as a reverse proxy.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has the ability to control an infected PC using RDP.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has the ability of performing remote desktop access via a VNC console.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can include a rootkit to hide processes, files, and startup.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can collect compromised host information, including OS version, PC name, RAM size, and CPU details.(Citation: Check Point Warzone Feb 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.(Citation: Uptycs Confucius APT Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) has relied on a victim to open a malicious attachment within an email for execution.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Confucius APT Jan 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[WarzoneRAT](https://attack.mitre.org/software/S0670) can access the webcam on a victim's machine.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by WarzoneRAT", "color": "#66b1ff"}]}