{"description": "Enterprise techniques used by DarkWatchman, ATT&CK software S0673 (v1.2)", "name": "DarkWatchman (S0673)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) uses HTTPS for command and control.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1010", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) reports window names along with keylogger information to provide application context.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1217", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can retrieve browser history.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can execute PowerShell commands and has used PowerShell to execute a keylogger.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can use `cmd.exe` to execute commands.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) uses JavaScript to perform its core functionalities.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) encodes data using hexadecimal representation before sending it to the C2 server.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can collect files from a compromised host.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can stage local data in the Windows Registry.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has the ability to self-extract as a RAR archive.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has used a DGA to generate a domain name for C2.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can use TLS to encrypt its C2 channel.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has the ability to enumerate file and folder names.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can uninstall malicious components from the Registry, stop processes, and clear the browser history.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has been observed deleting its original launcher after installation.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can delete shadow volumes using vssadmin.exe.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can track key presses with a keylogger module.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has used an icon mimicking a text file to mask a malicious executable.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can modify Registry values to store configuration strings, keylogger, and output of components.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.004", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has used the csc.exe tool to compile a C# executable.(Citation: Prevailion DarkWatchman 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has used Base64 to encode PowerShell commands.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can store configuration strings, keylogger, and output of components in the Registry.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has been delivered as compressed RAR payloads in ZIP files to victims.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can list signed PnP drivers for smartcard readers.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has been delivered via spearphishing emails that contain a malicious zip file.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can query the Registry to determine if it has already been installed on the system.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has created a scheduled task for persistence.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1129", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can load DLLs.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can search for anti-virus products on the system.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can collect the OS version, system architecture, and computer name.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can identity the OS locale of a compromised host.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) has collected the username from a victim machine.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can collect time zone information and system `UPTIME`.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[DarkWatchman](https://attack.mitre.org/software/S0673) can use WMI to execute commands.(Citation: Prevailion DarkWatchman 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by DarkWatchman", "color": "#66b1ff"}]}