{"description": "Enterprise techniques used by Lizar, ATT&CK software S0681 (v1.0)", "name": "Lizar (S0681)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has encrypted data before sending it to the server.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1217", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can retrieve browser history and database files.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used PowerShell scripts.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a command to open the command-line on the infected system.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a module to collect usernames and passwords stored in browsers.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.004", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using `vaultcmd.exe` and another that can collect RDP access credentials using the `CredEnumerateW` function.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can decrypt its configuration data.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can support encrypted communications between the client and server.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can download additional plugins, files, and tools.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used various Windows API functions on a victim's machine.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can run [Mimikatz](https://attack.mitre.org/software/S0002) to harvest credentials.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a plugin designed to obtain a list of processes.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can migrate the loader into another process.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can execute PE files in the address space of the specified process.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can take JPEG screenshots of an infected system.(Citation: Threatpost Lizar May 2021)(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can search for processes associated with an anti-virus product from list.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can collect the computer name from the machine,.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can retrieve network information from a compromised host.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Lizar](https://attack.mitre.org/software/S0681) has a plugin to retrieve information about all active network sessions on the infected server.(Citation: BiZone Lizar May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Lizar](https://attack.mitre.org/software/S0681) can collect the username from the system.(Citation: BiZone Lizar May 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Lizar", "color": "#66b1ff"}]}