{"description": "Enterprise techniques used by Tomiris, ATT&CK software S0671 (v1.0)", "name": "Tomiris (S0671)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Tomiris](https://attack.mitre.org/software/S0671) can use HTTP to establish C2 communications.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Tomiris](https://attack.mitre.org/software/S0671) has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "[Tomiris](https://attack.mitre.org/software/S0671) has connected to a signalization server that provides a URL and port, and then [Tomiris](https://attack.mitre.org/software/S0671) sends a GET request to that URL to establish C2.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": " [Tomiris](https://attack.mitre.org/software/S0671) can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Tomiris](https://attack.mitre.org/software/S0671) can download files and execute them on a victim's system.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Tomiris](https://attack.mitre.org/software/S0671) has been packed with UPX.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Tomiris](https://attack.mitre.org/software/S0671) has used `SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR \"[path to self]\" /ST 10:00` to establish persistence.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[Tomiris](https://attack.mitre.org/software/S0671) has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems.(Citation: Kaspersky Tomiris Sep 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Tomiris", "color": "#66b1ff"}]}